{"generationTime":"2022-11-02T07:55:55.697021698Z","metadata":{"targetMetadata":{},"clusterMetadata":{},"scanMetadata":{}},"clusterAPIServerInfo":null,"customerGUID":"","clusterName":"","clusterCloudProvider":"","reportGUID":"","jobID":"","resources":[{"resourceID":"path=1881121400/api=apps/v1//Deployment/paymentservice","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"paymentservice"},"sourcePath":"examples/online-boutique/paymentservice.yaml","spec":{"selector":{"matchLabels":{"app":"paymentservice"}},"template":{"metadata":{"labels":{"app":"paymentservice"}},"spec":{"containers":[{"name":"server","image":"paymentservice","ports":[{"containerPort":50051}],"env":[{"name":"PORT","value":"XXXXXX"}],"resources":{"limits":{"cpu":"200m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}},"livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:50051"]}},"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:50051"]}}}],"serviceAccountName":"default","terminationGracePeriodSeconds":5}}}},"source":{"relativePath":"examples/online-boutique/paymentservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=2686782197/api=apps/v1//Deployment/recommendationservice","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"recommendationservice"},"sourcePath":"examples/online-boutique/recommendationservice.yaml","spec":{"selector":{"matchLabels":{"app":"recommendationservice"}},"template":{"metadata":{"labels":{"app":"recommendationservice"}},"spec":{"containers":[{"name":"server","image":"recommendationservice","ports":[{"containerPort":8080}],"env":[{"name":"PORT","value":"XXXXXX"},{"name":"PRODUCT_CATALOG_SERVICE_ADDR","value":"XXXXXX"}],"resources":{"limits":{"cpu":"200m","memory":"450Mi"},"requests":{"cpu":"100m","memory":"220Mi"}},"livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:8080"]},"periodSeconds":5},"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:8080"]},"periodSeconds":5}}],"serviceAccountName":"default","terminationGracePeriodSeconds":5}}}},"source":{"relativePath":"examples/online-boutique/recommendationservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"/kubescape/ServiceAccount/kubescape-discovery/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding","object":{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"kubescape","relatedObjects":[{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"name":"kubescape-discovery-role-binding"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"kubescape-discovery-clusterroles"},"sourcePath":"httphandler/examples/prometheus/ks-deployment.yaml","subjects":[{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"kubescape"}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"name":"kubescape-discovery-clusterroles"},"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["get","list","describe"]}],"sourcePath":"httphandler/examples/microservice/ks-deployment.yaml"}]}},{"resourceID":"//ServiceAccount/kubescape-discovery/path=2738873395/api=rbac.authorization.k8s.io/v1//RoleBinding/-kubescape/path=3787836522/api=rbac.authorization.k8s.io/v1//ClusterRole/-kubescape","object":{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"","relatedObjects":[{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"labels":{"app.kubernetes.io/instance":null,"app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"kubescape","app.kubernetes.io/version":"v1.0.128","helm.sh/chart":"kubescape-1.0.0"},"name":"-kubescape"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"-kubescape"},"sourcePath":"/tmp/3387783067/examples/helm_chart/templates/rolebinding.yaml","subjects":[{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":""}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"labels":{"app.kubernetes.io/instance":null,"app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"kubescape","app.kubernetes.io/version":"v1.0.128","helm.sh/chart":"kubescape-1.0.0"},"name":"-kubescape"},"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["get","list","describe"]}],"sourcePath":"/tmp/3387783067/examples/helm_chart/templates/clusterrole.yaml"}]}},{"resourceID":"path=1161725811/api=apps/v1//Deployment/adservice","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"adservice"},"sourcePath":"examples/online-boutique/adservice.yaml","spec":{"selector":{"matchLabels":{"app":"adservice"}},"template":{"metadata":{"labels":{"app":"adservice"}},"spec":{"containers":[{"name":"server","image":"adservice","ports":[{"containerPort":9555}],"env":[{"name":"PORT","value":"XXXXXX"}],"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"200m","memory":"180Mi"}},"livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:9555"]},"initialDelaySeconds":20,"periodSeconds":15},"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:9555"]},"initialDelaySeconds":20,"periodSeconds":15}}],"serviceAccountName":"default","terminationGracePeriodSeconds":5}}}},"source":{"relativePath":"examples/online-boutique/adservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=3591976602/api=apps/v1/kubescape/Deployment/kubescape","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"labels":{"app":"kubescape"},"name":"kubescape","namespace":"kubescape"},"sourcePath":"httphandler/examples/prometheus/ks-deployment.yaml","spec":{"replicas":1,"selector":{"matchLabels":{"app":"kubescape"}},"template":{"metadata":{"labels":{"app":"kubescape"}},"spec":{"containers":[{"name":"kubescape","image":"quay.io/kubescape/kubescape:latest","command":["ksserver"],"ports":[{"name":"http","containerPort":8080,"protocol":"TCP"}],"env":[{"name":"KS_DEFAULT_CONFIGMAP_NAMESPACE","value":"XXXXXX","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}},{"name":"KS_SKIP_UPDATE_CHECK","value":"XXXXXX"},{"name":"KS_ENABLE_HOST_SCANNER","value":"XXXXXX"},{"name":"KS_DOWNLOAD_ARTIFACTS","value":"XXXXXX"}],"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"10m","memory":"100Mi"}},"livenessProbe":{"httpGet":{"path":"/livez","port":8080},"initialDelaySeconds":3,"periodSeconds":3},"readinessProbe":{"httpGet":{"path":"/readyz","port":8080},"initialDelaySeconds":3,"periodSeconds":3},"imagePullPolicy":"Always"}],"serviceAccountName":"kubescape-discovery"}}}},"source":{"relativePath":"httphandler/examples/prometheus/ks-deployment.yaml","fileType":"YAML","lastCommit":{"hash":"cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb","date":"2022-08-23T12:33:48+03:00","committerName":"David Wertenteil","committerEmail":"[email protected]","message":"replace armo by kubescape mentioned in urls\n"}}},{"resourceID":"path=2924266659/api=apps/v1//Deployment/frontend","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"frontend"},"sourcePath":"examples/online-boutique/frontend.yaml","spec":{"selector":{"matchLabels":{"app":"frontend"}},"template":{"metadata":{"annotations":{"sidecar.istio.io/rewriteAppHTTPProbers":"true"},"labels":{"app":"frontend"}},"spec":{"containers":[{"name":"server","image":"frontend","ports":[{"containerPort":8080}],"env":[{"name":"PORT","value":"XXXXXX"},{"name":"PRODUCT_CATALOG_SERVICE_ADDR","value":"XXXXXX"},{"name":"CURRENCY_SERVICE_ADDR","value":"XXXXXX"},{"name":"CART_SERVICE_ADDR","value":"XXXXXX"},{"name":"RECOMMENDATION_SERVICE_ADDR","value":"XXXXXX"},{"name":"SHIPPING_SERVICE_ADDR","value":"XXXXXX"},{"name":"CHECKOUT_SERVICE_ADDR","value":"XXXXXX"},{"name":"AD_SERVICE_ADDR","value":"XXXXXX"},{"name":"ENV_PLATFORM","value":"XXXXXX"}],"resources":{"limits":{"cpu":"200m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}},"livenessProbe":{"httpGet":{"path":"/_healthz","port":8080,"httpHeaders":[{"name":"Cookie","value":"shop_session-id=x-liveness-probe"}]},"initialDelaySeconds":10},"readinessProbe":{"httpGet":{"path":"/_healthz","port":8080,"httpHeaders":[{"name":"Cookie","value":"shop_session-id=x-readiness-probe"}]},"initialDelaySeconds":10}}],"serviceAccountName":"default"}}}},"source":{"relativePath":"examples/online-boutique/frontend.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=1644445903/api=apps/v1/kubescape/Deployment/kubescape","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"labels":{"app":"kubescape"},"name":"kubescape","namespace":"kubescape"},"sourcePath":"httphandler/examples/microservice/ks-deployment.yaml","spec":{"replicas":1,"selector":{"matchLabels":{"app":"kubescape"}},"template":{"metadata":{"labels":{"app":"kubescape"}},"spec":{"containers":[{"name":"kubescape","image":"quay.io/kubescape/kubescape:latest","command":["ksserver"],"ports":[{"name":"http","containerPort":8080,"protocol":"TCP"}],"env":[{"name":"KS_DEFAULT_CONFIGMAP_NAMESPACE","value":"XXXXXX","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}},{"name":"KS_SKIP_UPDATE_CHECK","value":"XXXXXX"},{"name":"KS_ENABLE_HOST_SCANNER","value":"XXXXXX"},{"name":"KS_DOWNLOAD_ARTIFACTS","value":"XXXXXX"}],"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"10m","memory":"100Mi"}},"livenessProbe":{"httpGet":{"path":"/livez","port":8080},"initialDelaySeconds":3,"periodSeconds":3},"readinessProbe":{"httpGet":{"path":"/readyz","port":8080},"initialDelaySeconds":3,"periodSeconds":3},"imagePullPolicy":"Always"}],"serviceAccountName":"kubescape-discovery"}}}},"source":{"relativePath":"httphandler/examples/microservice/ks-deployment.yaml","fileType":"YAML","lastCommit":{"hash":"cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb","date":"2022-08-23T12:33:48+03:00","committerName":"David Wertenteil","committerEmail":"[email protected]","message":"replace armo by kubescape mentioned in urls\n"}}},{"resourceID":"path=3591976602/api=/v1/kubescape/ServiceAccount/kubescape-discovery","object":{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"labels":{"app":"kubescape"},"name":"kubescape-discovery","namespace":"kubescape"},"sourcePath":"httphandler/examples/prometheus/ks-deployment.yaml"},"source":{"relativePath":"httphandler/examples/prometheus/ks-deployment.yaml","fileType":"YAML","lastCommit":{"hash":"cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb","date":"2022-08-23T12:33:48+03:00","committerName":"David Wertenteil","committerEmail":"[email protected]","message":"replace armo by kubescape mentioned in urls\n"}}},{"resourceID":"path=3919891740/api=/v1//ServiceAccount/kubescape-discovery","object":{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"labels":{"app.kubernetes.io/instance":null,"app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"kubescape","app.kubernetes.io/version":"v1.0.128","helm.sh/chart":"kubescape-1.0.0"},"name":"kubescape-discovery"},"sourcePath":"/tmp/3387783067/examples/helm_chart/templates/serviceaccount.yaml"},"source":{"relativePath":"examples/helm_chart/templates/serviceaccount.yaml","fileType":"Helm Chart","helmChartName":"kubescape","lastCommit":{"hash":"57160c4d0498c93bdba6e25b3f8cae8158cb5674","date":"2021-11-07T21:17:45+02:00","committerName":"Yonah Dissen","committerEmail":"[email protected]","message":"add helm chart to deploy kubescape in cluster\n"}}},{"resourceID":"path=423865324/api=/v1//Service/productcatalogservice","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"productcatalogservice"},"sourcePath":"examples/online-boutique/productcatalogservice.yaml","spec":{"ports":[{"name":"grpc","port":3550,"targetPort":3550}],"selector":{"app":"productcatalogservice"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/productcatalogservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=4115069426/api=/v1//Service/emailservice","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"emailservice"},"sourcePath":"examples/online-boutique/emailservice.yaml","spec":{"ports":[{"name":"grpc","port":5000,"targetPort":8080}],"selector":{"app":"emailservice"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/emailservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=2738873395/api=rbac.authorization.k8s.io/v1//RoleBinding/-kubescape","object":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"labels":{"app.kubernetes.io/instance":null,"app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"kubescape","app.kubernetes.io/version":"v1.0.128","helm.sh/chart":"kubescape-1.0.0"},"name":"-kubescape"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"-kubescape"},"sourcePath":"/tmp/3387783067/examples/helm_chart/templates/rolebinding.yaml","subjects":[{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":""}]},"source":{"relativePath":"examples/helm_chart/templates/rolebinding.yaml","fileType":"Helm Chart","helmChartName":"kubescape","lastCommit":{"hash":"57160c4d0498c93bdba6e25b3f8cae8158cb5674","date":"2021-11-07T21:17:45+02:00","committerName":"Yonah Dissen","committerEmail":"[email protected]","message":"add helm chart to deploy kubescape in cluster\n"}}},{"resourceID":"path=4285981016/api=/v1//Service/cartservice","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"cartservice"},"sourcePath":"examples/online-boutique/cartservice.yaml","spec":{"ports":[{"name":"grpc","port":7070,"targetPort":7070}],"selector":{"app":"cartservice"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/cartservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=1966984206/api=apps/v1//Deployment/redis-cart","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"redis-cart"},"sourcePath":"examples/online-boutique/redis.yaml","spec":{"selector":{"matchLabels":{"app":"redis-cart"}},"template":{"metadata":{"labels":{"app":"redis-cart"}},"spec":{"containers":[{"name":"redis","image":"redis:alpine","ports":[{"containerPort":6379}],"resources":{"limits":{"cpu":"125m","memory":"256Mi"},"requests":{"cpu":"70m","memory":"200Mi"}},"volumeMounts":[{"name":"redis-data","mountPath":"/data"}],"livenessProbe":{"tcpSocket":{"port":6379},"periodSeconds":5},"readinessProbe":{"tcpSocket":{"port":6379},"periodSeconds":5}}],"volumes":[{"emptyDir":{},"name":"redis-data"}]}}}},"source":{"relativePath":"examples/online-boutique/redis.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=4285981016/api=apps/v1//Deployment/cartservice","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"cartservice"},"sourcePath":"examples/online-boutique/cartservice.yaml","spec":{"selector":{"matchLabels":{"app":"cartservice"}},"template":{"metadata":{"labels":{"app":"cartservice"}},"spec":{"containers":[{"name":"server","image":"cartservice","ports":[{"containerPort":7070}],"env":[{"name":"REDIS_ADDR","value":"XXXXXX"}],"resources":{"limits":{"cpu":"300m","memory":"128Mi"},"requests":{"cpu":"200m","memory":"64Mi"}},"livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:7070","-rpc-timeout=5s"]},"initialDelaySeconds":15,"periodSeconds":10},"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:7070","-rpc-timeout=5s"]},"initialDelaySeconds":15}}],"serviceAccountName":"default","terminationGracePeriodSeconds":5}}}},"source":{"relativePath":"examples/online-boutique/cartservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=4203826079/api=apps/v1/kubescape-host-scanner/DaemonSet/host-scanner","object":{"apiVersion":"apps/v1","kind":"DaemonSet","metadata":{"labels":{"app":"host-scanner","k8s-app":"kubescape-host-scanner"},"name":"host-scanner","namespace":"kubescape-host-scanner"},"sourcePath":"core/pkg/hostsensorutils/hostsensor.yaml","spec":{"selector":{"matchLabels":{"name":"host-scanner"}},"template":{"metadata":{"labels":{"name":"host-scanner"}},"spec":{"automountServiceAccountToken":false,"containers":[{"name":"host-sensor","image":"quay.io/kubescape/host-scanner:v1.0.32","ports":[{"name":"scanner","hostPort":7888,"containerPort":7888,"protocol":"TCP"}],"resources":{"limits":{"cpu":"100u","memory":"200Mi"},"requests":{"cpu":"1m","memory":"200Mi"}},"volumeMounts":[{"name":"host-filesystem","mountPath":"/host_fs"}],"readinessProbe":{"httpGet":{"path":"/kernelVersion","port":7888}},"securityContext":{"privileged":true,"readOnlyRootFilesystem":true,"procMount":"Unmasked"}}],"dnsPolicy":"ClusterFirstWithHostNet","hostIPC":true,"hostNetwork":true,"hostPID":true,"terminationGracePeriodSeconds":120,"tolerations":[{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane","operator":"Exists"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}],"volumes":[{"hostPath":{"path":"/","type":"Directory"},"name":"host-filesystem"}]}}}},"source":{"relativePath":"core/pkg/hostsensorutils/hostsensor.yaml","fileType":"YAML","lastCommit":{"hash":"dc2c6f8a215e297bf65501000243cb172e1a5563","date":"2022-10-26T11:40:28+03:00","committerName":"YiscahLevySilas1","committerEmail":"[email protected]","message":"update hostsensor version"}}},{"resourceID":"//ServiceAccount/kubescape-discovery/path=3787836522/api=rbac.authorization.k8s.io/v1//ClusterRole/-kubescape/path=4235171603/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/-kubescape","object":{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"","relatedObjects":[{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"labels":{"app.kubernetes.io/instance":null,"app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"kubescape","app.kubernetes.io/version":"v1.0.128","helm.sh/chart":"kubescape-1.0.0"},"name":"-kubescape"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"-kubescape"},"sourcePath":"/tmp/3387783067/examples/helm_chart/templates/clusterrolebinding.yaml","subjects":[{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":""}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"labels":{"app.kubernetes.io/instance":null,"app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"kubescape","app.kubernetes.io/version":"v1.0.128","helm.sh/chart":"kubescape-1.0.0"},"name":"-kubescape"},"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["get","list","describe"]}],"sourcePath":"/tmp/3387783067/examples/helm_chart/templates/clusterrole.yaml"}]}},{"resourceID":"path=2451423745/api=/v1//Service/currencyservice","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"currencyservice"},"sourcePath":"examples/online-boutique/currencyservice.yaml","spec":{"ports":[{"name":"grpc","port":7000,"targetPort":7000}],"selector":{"app":"currencyservice"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/currencyservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"/kubescape/Deployment/kubescape","object":{"kind":"Deployment","name":"kubescape","namespace":"kubescape","relatedObjects":{"apiVersion":"v1","kind":"Service","metadata":{"labels":{"app":"kubescape"},"name":"kubescape","namespace":"kubescape"},"sourcePath":"httphandler/examples/prometheus/ks-deployment.yaml","spec":{"ports":[{"name":"http","port":8080,"protocol":"TCP","targetPort":8080}],"selector":{"app":"kubescape"},"type":"ClusterIP"}}}},{"resourceID":"path=3591976602/api=/v1/kubescape/Service/kubescape","object":{"apiVersion":"v1","kind":"Service","metadata":{"labels":{"app":"kubescape"},"name":"kubescape","namespace":"kubescape"},"sourcePath":"httphandler/examples/prometheus/ks-deployment.yaml","spec":{"ports":[{"name":"http","port":8080,"protocol":"TCP","targetPort":8080}],"selector":{"app":"kubescape"},"type":"ClusterIP"}},"source":{"relativePath":"httphandler/examples/prometheus/ks-deployment.yaml","fileType":"YAML","lastCommit":{"hash":"cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb","date":"2022-08-23T12:33:48+03:00","committerName":"David Wertenteil","committerEmail":"[email protected]","message":"replace armo by kubescape mentioned in urls\n"}}},{"resourceID":"path=3015304832/api=/v1//Service/shippingservice","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"shippingservice"},"sourcePath":"examples/online-boutique/shippingservice.yaml","spec":{"ports":[{"name":"grpc","port":50051,"targetPort":50051}],"selector":{"app":"shippingservice"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/shippingservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=1161725811/api=/v1//Service/adservice","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"adservice"},"sourcePath":"examples/online-boutique/adservice.yaml","spec":{"ports":[{"name":"grpc","port":9555,"targetPort":9555}],"selector":{"app":"adservice"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/adservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=3015304832/api=apps/v1//Deployment/shippingservice","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"shippingservice"},"sourcePath":"examples/online-boutique/shippingservice.yaml","spec":{"selector":{"matchLabels":{"app":"shippingservice"}},"template":{"metadata":{"labels":{"app":"shippingservice"}},"spec":{"containers":[{"name":"server","image":"shippingservice","ports":[{"containerPort":50051}],"env":[{"name":"PORT","value":"XXXXXX"}],"resources":{"limits":{"cpu":"200m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}},"livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:50051"]}},"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:50051"]},"periodSeconds":5}}],"serviceAccountName":"default"}}}},"source":{"relativePath":"examples/online-boutique/shippingservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=1644445903/api=/v1/kubescape/Service/kubescape","object":{"apiVersion":"v1","kind":"Service","metadata":{"labels":{"app":"kubescape"},"name":"kubescape","namespace":"kubescape"},"sourcePath":"httphandler/examples/microservice/ks-deployment.yaml","spec":{"ports":[{"name":"http","port":8080,"protocol":"TCP","targetPort":8080}],"selector":{"app":"kubescape"},"type":"NodePort"}},"source":{"relativePath":"httphandler/examples/microservice/ks-deployment.yaml","fileType":"YAML","lastCommit":{"hash":"cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb","date":"2022-08-23T12:33:48+03:00","committerName":"David Wertenteil","committerEmail":"[email protected]","message":"replace armo by kubescape mentioned in urls\n"}}},{"resourceID":"path=1881121400/api=/v1//Service/paymentservice","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"paymentservice"},"sourcePath":"examples/online-boutique/paymentservice.yaml","spec":{"ports":[{"name":"grpc","port":50051,"targetPort":50051}],"selector":{"app":"paymentservice"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/paymentservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=343424394/api=rbac.authorization.k8s.io/v1//Role/-kubescape","object":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"labels":{"app.kubernetes.io/instance":null,"app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"kubescape","app.kubernetes.io/version":"v1.0.128","helm.sh/chart":"kubescape-1.0.0"},"name":"-kubescape"},"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["get","list","describe"]}],"sourcePath":"/tmp/3387783067/examples/helm_chart/templates/role.yaml"},"source":{"relativePath":"examples/helm_chart/templates/role.yaml","fileType":"Helm Chart","helmChartName":"kubescape","lastCommit":{"hash":"57160c4d0498c93bdba6e25b3f8cae8158cb5674","date":"2021-11-07T21:17:45+02:00","committerName":"Yonah Dissen","committerEmail":"[email protected]","message":"add helm chart to deploy kubescape in cluster\n"}}},{"resourceID":"path=4115069426/api=apps/v1//Deployment/emailservice","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"emailservice"},"sourcePath":"examples/online-boutique/emailservice.yaml","spec":{"selector":{"matchLabels":{"app":"emailservice"}},"template":{"metadata":{"labels":{"app":"emailservice"}},"spec":{"containers":[{"name":"server","image":"emailservice","ports":[{"containerPort":8080}],"env":[{"name":"PORT","value":"XXXXXX"},{"name":"DISABLE_PROFILER","value":"XXXXXX"}],"resources":{"limits":{"cpu":"200m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}},"livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:8080"]},"periodSeconds":5},"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:8080"]},"periodSeconds":5}}],"serviceAccountName":"default","terminationGracePeriodSeconds":5}}}},"source":{"relativePath":"examples/online-boutique/emailservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=423865324/api=apps/v1//Deployment/productcatalogservice","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"productcatalogservice"},"sourcePath":"examples/online-boutique/productcatalogservice.yaml","spec":{"selector":{"matchLabels":{"app":"productcatalogservice"}},"template":{"metadata":{"labels":{"app":"productcatalogservice"}},"spec":{"containers":[{"name":"server","image":"productcatalogservice","ports":[{"containerPort":3550}],"env":[{"name":"PORT","value":"XXXXXX"}],"resources":{"limits":{"cpu":"200m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}},"livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:3550"]}},"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:3550"]}}}],"serviceAccountName":"default","terminationGracePeriodSeconds":5}}}},"source":{"relativePath":"examples/online-boutique/productcatalogservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"/kubescape/ServiceAccount/kubescape-discovery/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles","object":{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"kubescape","relatedObjects":[{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"name":"kubescape-discovery-role-binding"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"kubescape-discovery-clusterroles"},"sourcePath":"httphandler/examples/microservice/ks-deployment.yaml","subjects":[{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"kubescape"}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"name":"kubescape-discovery-clusterroles"},"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["get","list","describe"]}],"sourcePath":"httphandler/examples/prometheus/ks-deployment.yaml"}]}},{"resourceID":"path=3591976602/api=/v1//Namespace/kubescape","object":{"apiVersion":"v1","kind":"Namespace","metadata":{"labels":{"app":"kubescape"},"name":"kubescape"},"sourcePath":"httphandler/examples/prometheus/ks-deployment.yaml"},"source":{"relativePath":"httphandler/examples/prometheus/ks-deployment.yaml","fileType":"YAML","lastCommit":{"hash":"cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb","date":"2022-08-23T12:33:48+03:00","committerName":"David Wertenteil","committerEmail":"[email protected]","message":"replace armo by kubescape mentioned in urls\n"}}},{"resourceID":"path=4038904612/api=apps/v1//Deployment/loadgenerator","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"loadgenerator"},"sourcePath":"examples/online-boutique/loadgenerator.yaml","spec":{"replicas":1,"selector":{"matchLabels":{"app":"loadgenerator"}},"template":{"metadata":{"annotations":{"sidecar.istio.io/rewriteAppHTTPProbers":"true"},"labels":{"app":"loadgenerator"}},"spec":{"containers":[{"name":"main","image":"loadgenerator","env":[{"name":"FRONTEND_ADDR","value":"XXXXXX"},{"name":"USERS","value":"XXXXXX"}],"resources":{"limits":{"cpu":"500m","memory":"512Mi"},"requests":{"cpu":"300m","memory":"256Mi"}}}],"restartPolicy":"Always","serviceAccountName":"default","terminationGracePeriodSeconds":5}}}},"source":{"relativePath":"examples/online-boutique/loadgenerator.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=645840794/api=apps/v1//Deployment/checkoutservice","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"checkoutservice"},"sourcePath":"examples/online-boutique/checkoutservice.yaml","spec":{"selector":{"matchLabels":{"app":"checkoutservice"}},"template":{"metadata":{"labels":{"app":"checkoutservice"}},"spec":{"containers":[{"name":"server","image":"checkoutservice","ports":[{"containerPort":5050}],"env":[{"name":"PORT","value":"XXXXXX"},{"name":"PRODUCT_CATALOG_SERVICE_ADDR","value":"XXXXXX"},{"name":"SHIPPING_SERVICE_ADDR","value":"XXXXXX"},{"name":"PAYMENT_SERVICE_ADDR","value":"XXXXXX"},{"name":"EMAIL_SERVICE_ADDR","value":"XXXXXX"},{"name":"CURRENCY_SERVICE_ADDR","value":"XXXXXX"},{"name":"CART_SERVICE_ADDR","value":"XXXXXX"}],"resources":{"limits":{"cpu":"200m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}},"livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:5050"]}},"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:5050"]}}}],"serviceAccountName":"default"}}}},"source":{"relativePath":"examples/online-boutique/checkoutservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=4203826079/api=/v1//Namespace/kubescape-host-scanner","object":{"apiVersion":"v1","kind":"Namespace","metadata":{"labels":{"app":"kubescape-host-scanner","k8s-app":"kubescape-host-scanner","kubernetes.io/metadata.name":"kubescape-host-scanner","tier":"kubescape-host-scanner-control-plane"},"name":"kubescape-host-scanner"},"sourcePath":"core/pkg/hostsensorutils/hostsensor.yaml"},"source":{"relativePath":"core/pkg/hostsensorutils/hostsensor.yaml","fileType":"YAML","lastCommit":{"hash":"dc2c6f8a215e297bf65501000243cb172e1a5563","date":"2022-10-26T11:40:28+03:00","committerName":"YiscahLevySilas1","committerEmail":"[email protected]","message":"update hostsensor version"}}},{"resourceID":"path=645840794/api=/v1//Service/checkoutservice","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"checkoutservice"},"sourcePath":"examples/online-boutique/checkoutservice.yaml","spec":{"ports":[{"name":"grpc","port":5050,"targetPort":5050}],"selector":{"app":"checkoutservice"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/checkoutservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=2924266659/api=/v1//Service/frontend-external","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"frontend-external"},"sourcePath":"examples/online-boutique/frontend.yaml","spec":{"ports":[{"name":"http","port":80,"targetPort":8080}],"selector":{"app":"frontend"},"type":"LoadBalancer"}},"source":{"relativePath":"examples/online-boutique/frontend.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=2924266659/api=/v1//Service/frontend","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"frontend"},"sourcePath":"examples/online-boutique/frontend.yaml","spec":{"ports":[{"name":"http","port":80,"targetPort":8080}],"selector":{"app":"frontend"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/frontend.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=2451423745/api=apps/v1//Deployment/currencyservice","object":{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"currencyservice"},"sourcePath":"examples/online-boutique/currencyservice.yaml","spec":{"selector":{"matchLabels":{"app":"currencyservice"}},"template":{"metadata":{"labels":{"app":"currencyservice"}},"spec":{"containers":[{"name":"server","image":"currencyservice","ports":[{"name":"grpc","containerPort":7000}],"env":[{"name":"PORT","value":"XXXXXX"}],"resources":{"limits":{"cpu":"200m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}},"livenessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:7000"]}},"readinessProbe":{"exec":{"command":["/bin/grpc_health_probe","-addr=:7000"]}}}],"serviceAccountName":"default","terminationGracePeriodSeconds":5}}}},"source":{"relativePath":"examples/online-boutique/currencyservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"/kubescape/ServiceAccount/kubescape-discovery/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding","object":{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"kubescape","relatedObjects":[{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"name":"kubescape-discovery-role-binding"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"kubescape-discovery-clusterroles"},"sourcePath":"httphandler/examples/microservice/ks-deployment.yaml","subjects":[{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"kubescape"}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"name":"kubescape-discovery-clusterroles"},"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["get","list","describe"]}],"sourcePath":"httphandler/examples/microservice/ks-deployment.yaml"}]}},{"resourceID":"/kubescape/ServiceAccount/kubescape-discovery/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding","object":{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"kubescape","relatedObjects":[{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"name":"kubescape-discovery-role-binding"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"kubescape-discovery-clusterroles"},"sourcePath":"httphandler/examples/prometheus/ks-deployment.yaml","subjects":[{"kind":"ServiceAccount","name":"kubescape-discovery","namespace":"kubescape"}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"name":"kubescape-discovery-clusterroles"},"rules":[{"apiGroups":["*"],"resources":["*"],"verbs":["get","list","describe"]}],"sourcePath":"httphandler/examples/prometheus/ks-deployment.yaml"}]}},{"resourceID":"path=1966984206/api=/v1//Service/redis-cart","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"redis-cart"},"sourcePath":"examples/online-boutique/redis.yaml","spec":{"ports":[{"name":"redis","port":6379,"targetPort":6379}],"selector":{"app":"redis-cart"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/redis.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}},{"resourceID":"path=1644445903/api=/v1//Namespace/kubescape","object":{"apiVersion":"v1","kind":"Namespace","metadata":{"labels":{"app":"kubescape"},"name":"kubescape"},"sourcePath":"httphandler/examples/microservice/ks-deployment.yaml"},"source":{"relativePath":"httphandler/examples/microservice/ks-deployment.yaml","fileType":"YAML","lastCommit":{"hash":"cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb","date":"2022-08-23T12:33:48+03:00","committerName":"David Wertenteil","committerEmail":"[email protected]","message":"replace armo by kubescape mentioned in urls\n"}}},{"resourceID":"path=1644445903/api=/v1/kubescape/ServiceAccount/kubescape-discovery","object":{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"labels":{"app":"kubescape"},"name":"kubescape-discovery","namespace":"kubescape"},"sourcePath":"httphandler/examples/microservice/ks-deployment.yaml"},"source":{"relativePath":"httphandler/examples/microservice/ks-deployment.yaml","fileType":"YAML","lastCommit":{"hash":"cbd4fc1a80362c57bc0bec78bfbf9422f646a8fb","date":"2022-08-23T12:33:48+03:00","committerName":"David Wertenteil","committerEmail":"[email protected]","message":"replace armo by kubescape mentioned in urls\n"}}},{"resourceID":"path=2686782197/api=/v1//Service/recommendationservice","object":{"apiVersion":"v1","kind":"Service","metadata":{"name":"recommendationservice"},"sourcePath":"examples/online-boutique/recommendationservice.yaml","spec":{"ports":[{"name":"grpc","port":8080,"targetPort":8080}],"selector":{"app":"recommendationservice"},"type":"ClusterIP"}},"source":{"relativePath":"examples/online-boutique/recommendationservice.yaml","fileType":"YAML","lastCommit":{"hash":"96148ac6fd37d8d03572ad8c9bb5e60a4663c52a","date":"2021-08-26T17:41:11+03:00","committerName":"dwertent","committerEmail":"[email protected]","message":"support yaml input\n"}}}],"attributes":null,"results":[{"resourceID":"path=1881121400/api=apps/v1//Deployment/paymentservice","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=1881121400/api=apps/v1//Deployment/paymentservice","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2}],"score":1012,"severity":2}},{"resourceID":"path=2686782197/api=apps/v1//Deployment/recommendationservice","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=2686782197/api=apps/v1//Deployment/recommendationservice","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2}],"score":1012,"severity":2}},{"resourceID":"/kubescape/ServiceAccount/kubescape-discovery/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding","controls":[{"controlID":"C-0002","name":"Exec into container","rules":[{"name":"exec-into-container-v1","status":"passed"}]},{"controlID":"C-0063","name":"Portforwarding privileges","rules":[{"name":"rule-can-portforward-v1","status":"passed"}]},{"controlID":"C-0037","name":"CoreDNS poisoning","rules":[{"name":"rule-can-update-configmap-v1","status":"passed"}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-subject-v1","status":"passed"}]},{"controlID":"C-0015","name":"List Kubernetes secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0031","name":"Delete Kubernetes events","rules":[{"name":"rule-can-delete-k8s-events-v1","status":"passed"}]},{"controlID":"CIS-5.1.8","name":"Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster","rules":[{"name":"rule-can-bind-escalate","status":"passed"},{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"CIS-5.1.2","name":"Minimize access to secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"CIS-5.1.4","name":"Minimize access to create pods","rules":[{"name":"rule-can-create-pod","status":"passed"}]},{"controlID":"C-0065","name":"No impersonation","rules":[{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"C-0007","name":"Data Destruction","rules":[{"name":"rule-excessive-delete-rights-v1","status":"passed"}]},{"controlID":"C-0053","name":"Access container service account","rules":[{"name":"access-container-service-account-v1","status":"failed"}]},{"controlID":"C-0035","name":"Cluster-admin binding","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]},{"controlID":"CIS-5.1.1","name":"Ensure that the cluster-admin role is only used where required","rules":[{"name":"cluster-admin-role","status":"passed"}]},{"controlID":"CIS-5.1.3","name":"Minimize wildcard use in Roles and ClusterRoles","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]}]},{"resourceID":"//ServiceAccount/kubescape-discovery/path=2738873395/api=rbac.authorization.k8s.io/v1//RoleBinding/-kubescape/path=3787836522/api=rbac.authorization.k8s.io/v1//ClusterRole/-kubescape","controls":[{"controlID":"C-0002","name":"Exec into container","rules":[{"name":"exec-into-container-v1","status":"passed"}]},{"controlID":"C-0063","name":"Portforwarding privileges","rules":[{"name":"rule-can-portforward-v1","status":"passed"}]},{"controlID":"C-0037","name":"CoreDNS poisoning","rules":[{"name":"rule-can-update-configmap-v1","status":"passed"}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-subject-v1","status":"passed"}]},{"controlID":"C-0015","name":"List Kubernetes secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0031","name":"Delete Kubernetes events","rules":[{"name":"rule-can-delete-k8s-events-v1","status":"passed"}]},{"controlID":"CIS-5.1.8","name":"Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster","rules":[{"name":"rule-can-bind-escalate","status":"passed"},{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"CIS-5.1.2","name":"Minimize access to secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"CIS-5.1.4","name":"Minimize access to create pods","rules":[{"name":"rule-can-create-pod","status":"passed"}]},{"controlID":"C-0065","name":"No impersonation","rules":[{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"C-0007","name":"Data Destruction","rules":[{"name":"rule-excessive-delete-rights-v1","status":"passed"}]},{"controlID":"C-0035","name":"Cluster-admin binding","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]},{"controlID":"CIS-5.1.3","name":"Minimize wildcard use in Roles and ClusterRoles","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]}]},{"resourceID":"path=1161725811/api=apps/v1//Deployment/adservice","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=1161725811/api=apps/v1//Deployment/adservice","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2}],"score":1012,"severity":2}},{"resourceID":"path=3591976602/api=apps/v1/kubescape/Deployment/kubescape","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}],"controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"passed","controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.automountServiceAccountToken","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.automountServiceAccountToken","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"passed"}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"passed"}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}]},{"resourceID":"path=2924266659/api=apps/v1//Deployment/frontend","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=2924266659/api=apps/v1//Deployment/frontend","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2}],"score":1012,"severity":2}},{"resourceID":"path=1644445903/api=apps/v1/kubescape/Deployment/kubescape","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}],"controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"passed","controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.automountServiceAccountToken","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.automountServiceAccountToken","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"passed"}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"passed"}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}],"exception":[{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-5","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Deployment","name":"kubescape","namespace":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}]},{"resourceID":"path=3591976602/api=/v1/kubescape/ServiceAccount/kubescape-discovery","controls":[{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"failed","paths":[{"fixPath":{"path":"automountServiceAccountToken","value":"false"}}]}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"failed","paths":[{"fixPath":{"path":"automountServiceAccountToken","value":"false"}}]}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"passed"}]}]},{"resourceID":"path=3919891740/api=/v1//ServiceAccount/kubescape-discovery","controls":[{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=423865324/api=/v1//Service/productcatalogservice","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=4115069426/api=/v1//Service/emailservice","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=2738873395/api=rbac.authorization.k8s.io/v1//RoleBinding/-kubescape","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=4285981016/api=/v1//Service/cartservice","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=1966984206/api=apps/v1//Deployment/redis-cart","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=1966984206/api=apps/v1//Deployment/redis-cart","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2}],"score":1012,"severity":2}},{"resourceID":"path=4285981016/api=apps/v1//Deployment/cartservice","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=4285981016/api=apps/v1//Deployment/cartservice","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2}],"score":1012,"severity":2}},{"resourceID":"path=4203826079/api=apps/v1/kubescape-host-scanner/DaemonSet/host-scanner","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"passed"}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].volumeMounts[0].readOnly","value":"true"}}]}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"failed","paths":[{"failedPath":"spec.template.spec.hostIPC","fixPath":{"path":"","value":""}},{"failedPath":"spec.template.spec.hostPID","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].livenessProbe","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].securityContext.privileged","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].securityContext.privileged","fixPath":{"path":"","value":""}}]},{"name":"immutable-container-filesystem","status":"passed"},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"failed","paths":[{"failedPath":"spec.template.spec.hostNetwork","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"passed"}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"passed"}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].ports[0].hostPort","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"passed"}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].volumeMounts[0].readOnly","value":"true"}}]}]}],"prioritizedResource":{"resourceID":"path=4203826079/api=apps/v1/kubescape-host-scanner/DaemonSet/host-scanner","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":231.00000000000003,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0057","category":"Privilege escalation","tags":["security"]}],"score":308,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0038","category":"Privilege escalation","tags":["security","compliance"]}],"score":269.5,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":154,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":231.00000000000003,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":132,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0057","category":"Privilege escalation","tags":["security"]}],"score":176,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0038","category":"Privilege escalation","tags":["security","compliance"]}],"score":154,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":88,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":132,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0057","category":"Privilege escalation","tags":["security"]}],"score":220.00000000000003,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0038","category":"Privilege escalation","tags":["security","compliance"]}],"score":192.50000000000003,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0041","category":"Discovery","tags":["security","compliance"]}],"score":269.5,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0041","category":"Discovery","tags":["security","compliance"]}],"score":154,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0041","category":"Discovery","tags":["security","compliance"]}],"score":192.50000000000003,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0041","category":"Lateral movement","tags":["security","compliance"]}],"score":269.5,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0041","category":"Lateral movement","tags":["security","compliance"]}],"score":154,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0041","category":"Lateral movement","tags":["security","compliance"]}],"score":192.50000000000003,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0006","category":"Impact - Data access in container","tags":["security","compliance","devops","security-impact"]}],"score":231.00000000000003,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0045","category":"Impact - Data access in container","tags":["security","compliance","devops","security-impact"]}],"score":308,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0006","category":"Impact - Data access in container","tags":["security","compliance","devops","security-impact"]}],"score":132,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0045","category":"Impact - Data access in container","tags":["security","compliance","devops","security-impact"]}],"score":176,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0006","category":"Impact - Data access in container","tags":["security","compliance","devops","security-impact"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0045","category":"Impact - Data access in container","tags":["security","compliance","devops","security-impact"]}],"score":220.00000000000003,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0001","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0045","category":"Persistence","tags":["security","compliance","devops","security-impact"]}],"score":308,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0044","category":"Initial access","tags":["security","compliance","devops"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0045","category":"Persistence","tags":["security","compliance","devops","security-impact"]}],"score":176,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0045","category":"Persistence","tags":["security","compliance","devops","security-impact"]}],"score":220.00000000000003,"severity":3},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0041","category":"Impact - service access","tags":["security","compliance"]}],"score":7.700000000000001,"severity":3}],"score":5903.7,"severity":3}},{"resourceID":"//ServiceAccount/kubescape-discovery/path=3787836522/api=rbac.authorization.k8s.io/v1//ClusterRole/-kubescape/path=4235171603/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/-kubescape","controls":[{"controlID":"C-0002","name":"Exec into container","rules":[{"name":"exec-into-container-v1","status":"passed"}]},{"controlID":"C-0063","name":"Portforwarding privileges","rules":[{"name":"rule-can-portforward-v1","status":"passed"}]},{"controlID":"C-0037","name":"CoreDNS poisoning","rules":[{"name":"rule-can-update-configmap-v1","status":"passed"}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-subject-v1","status":"passed"}]},{"controlID":"C-0015","name":"List Kubernetes secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0031","name":"Delete Kubernetes events","rules":[{"name":"rule-can-delete-k8s-events-v1","status":"passed"}]},{"controlID":"CIS-5.1.8","name":"Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster","rules":[{"name":"rule-can-bind-escalate","status":"passed"},{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"CIS-5.1.2","name":"Minimize access to secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"CIS-5.1.4","name":"Minimize access to create pods","rules":[{"name":"rule-can-create-pod","status":"passed"}]},{"controlID":"C-0065","name":"No impersonation","rules":[{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"C-0007","name":"Data Destruction","rules":[{"name":"rule-excessive-delete-rights-v1","status":"passed"}]},{"controlID":"C-0035","name":"Cluster-admin binding","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]},{"controlID":"CIS-5.1.1","name":"Ensure that the cluster-admin role is only used where required","rules":[{"name":"cluster-admin-role","status":"passed"}]},{"controlID":"CIS-5.1.3","name":"Minimize wildcard use in Roles and ClusterRoles","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]}]},{"resourceID":"path=2451423745/api=/v1//Service/currencyservice","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"/kubescape/Deployment/kubescape","controls":[{"controlID":"C-0042","name":"SSH server running inside container","rules":[{"name":"rule-can-ssh-to-pod-v1","status":"passed"}]}]},{"resourceID":"path=3591976602/api=/v1/kubescape/Service/kubescape","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"passed"}]}]},{"resourceID":"path=3015304832/api=/v1//Service/shippingservice","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=1161725811/api=/v1//Service/adservice","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=3015304832/api=apps/v1//Deployment/shippingservice","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=3015304832/api=apps/v1//Deployment/shippingservice","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2}],"score":1012,"severity":2}},{"resourceID":"path=1644445903/api=/v1/kubescape/Service/kubescape","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"passed"}]}]},{"resourceID":"path=1881121400/api=/v1//Service/paymentservice","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=343424394/api=rbac.authorization.k8s.io/v1//Role/-kubescape","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=4115069426/api=apps/v1//Deployment/emailservice","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=4115069426/api=apps/v1//Deployment/emailservice","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2}],"score":1012,"severity":2}},{"resourceID":"path=423865324/api=apps/v1//Deployment/productcatalogservice","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=423865324/api=apps/v1//Deployment/productcatalogservice","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2}],"score":1012,"severity":2}},{"resourceID":"/kubescape/ServiceAccount/kubescape-discovery/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles","controls":[{"controlID":"C-0002","name":"Exec into container","rules":[{"name":"exec-into-container-v1","status":"passed"}]},{"controlID":"C-0063","name":"Portforwarding privileges","rules":[{"name":"rule-can-portforward-v1","status":"passed"}]},{"controlID":"C-0037","name":"CoreDNS poisoning","rules":[{"name":"rule-can-update-configmap-v1","status":"passed"}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-subject-v1","status":"passed"}]},{"controlID":"C-0015","name":"List Kubernetes secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0031","name":"Delete Kubernetes events","rules":[{"name":"rule-can-delete-k8s-events-v1","status":"passed"}]},{"controlID":"CIS-5.1.8","name":"Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster","rules":[{"name":"rule-can-bind-escalate","status":"passed"},{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"CIS-5.1.2","name":"Minimize access to secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"CIS-5.1.4","name":"Minimize access to create pods","rules":[{"name":"rule-can-create-pod","status":"passed"}]},{"controlID":"C-0065","name":"No impersonation","rules":[{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"C-0007","name":"Data Destruction","rules":[{"name":"rule-excessive-delete-rights-v1","status":"passed"}]},{"controlID":"C-0053","name":"Access container service account","rules":[{"name":"access-container-service-account-v1","status":"failed"}]},{"controlID":"C-0035","name":"Cluster-admin binding","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]},{"controlID":"CIS-5.1.1","name":"Ensure that the cluster-admin role is only used where required","rules":[{"name":"cluster-admin-role","status":"passed"}]},{"controlID":"CIS-5.1.3","name":"Minimize wildcard use in Roles and ClusterRoles","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]}]},{"resourceID":"path=3591976602/api=/v1//Namespace/kubescape","controls":[{"controlID":"CIS-5.2.12","name":"Minimize the admission of HostPath volumes","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0060","name":"Namespace without service accounts","rules":[{"name":"namespace-without-service-account","status":"passed"}]},{"controlID":"CIS-5.2.5","name":"Minimize the admission of containers wishing to share the host network namespace","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0054","name":"Cluster internal networking","rules":[{"name":"internal-networking","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.2","name":"Minimize the admission of privileged containers","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.13","name":"Minimize the admission of containers which use HostPorts","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.7","name":"Minimize the admission of root containers","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.11","name":"Minimize the admission of Windows HostProcess Containers","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.3.2","name":"Ensure that all Namespaces have Network Policies defined","rules":[{"name":"internal-networking","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.1.5","name":"Ensure that default service accounts are not actively used","rules":[{"name":"namespace-without-service-account","status":"passed"}]},{"controlID":"CIS-5.2.9","name":"Minimize the admission of containers with added capabilities","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.10","name":"Minimize the admission of containers with capabilities assigned","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.6","name":"Minimize the admission of containers with allowPrivilegeEscalation","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.7.1","name":"Create administrative boundaries between resources using namespaces","rules":[{"name":"list-all-namespaces","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.8","name":"Minimize the admission of containers with the NET_RAW capability","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.4","name":"Minimize the admission of containers wishing to share the host IPC namespace","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0049","name":"Network mapping","rules":[{"name":"internal-networking","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.3","name":"Minimize the admission of containers wishing to share the host process ID namespace","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.1","name":"Ensure that the cluster has at least one active policy control mechanism in place","rules":[{"name":"pod-security-admission-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]}]},{"resourceID":"path=4038904612/api=apps/v1//Deployment/loadgenerator","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].livenessProbe","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].readinessProbe","value":"YOUR_VALUE"}}]}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=4038904612/api=apps/v1//Deployment/loadgenerator","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2}],"score":1012,"severity":2}},{"resourceID":"path=645840794/api=apps/v1//Deployment/checkoutservice","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=645840794/api=apps/v1//Deployment/checkoutservice","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2}],"score":1012,"severity":2}},{"resourceID":"path=4203826079/api=/v1//Namespace/kubescape-host-scanner","controls":[{"controlID":"CIS-5.2.12","name":"Minimize the admission of HostPath volumes","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed"}]},{"controlID":"C-0060","name":"Namespace without service accounts","rules":[{"name":"namespace-without-service-account","status":"failed"}]},{"controlID":"CIS-5.2.5","name":"Minimize the admission of containers wishing to share the host network namespace","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed"}]},{"controlID":"C-0054","name":"Cluster internal networking","rules":[{"name":"internal-networking","status":"failed"}]},{"controlID":"CIS-5.2.2","name":"Minimize the admission of privileged containers","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed"}]},{"controlID":"CIS-5.2.13","name":"Minimize the admission of containers which use HostPorts","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed"}]},{"controlID":"CIS-5.2.7","name":"Minimize the admission of root containers","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed"}]},{"controlID":"CIS-5.2.11","name":"Minimize the admission of Windows HostProcess Containers","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed"}]},{"controlID":"CIS-5.3.2","name":"Ensure that all Namespaces have Network Policies defined","rules":[{"name":"internal-networking","status":"failed"}]},{"controlID":"CIS-5.1.5","name":"Ensure that default service accounts are not actively used","rules":[{"name":"namespace-without-service-account","status":"failed"}]},{"controlID":"CIS-5.2.9","name":"Minimize the admission of containers with added capabilities","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed"}]},{"controlID":"CIS-5.2.10","name":"Minimize the admission of containers with capabilities assigned","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed"}]},{"controlID":"CIS-5.2.6","name":"Minimize the admission of containers with allowPrivilegeEscalation","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed"}]},{"controlID":"CIS-5.7.1","name":"Create administrative boundaries between resources using namespaces","rules":[{"name":"list-all-namespaces","status":"failed"}]},{"controlID":"CIS-5.2.8","name":"Minimize the admission of containers with the NET_RAW capability","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed"}]},{"controlID":"CIS-5.2.4","name":"Minimize the admission of containers wishing to share the host IPC namespace","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed"}]},{"controlID":"C-0049","name":"Network mapping","rules":[{"name":"internal-networking","status":"failed"}]},{"controlID":"CIS-5.2.3","name":"Minimize the admission of containers wishing to share the host process ID namespace","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed"}]},{"controlID":"CIS-5.2.1","name":"Ensure that the cluster has at least one active policy control mechanism in place","rules":[{"name":"pod-security-admission-applied","status":"failed"}]}]},{"resourceID":"path=645840794/api=/v1//Service/checkoutservice","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=2924266659/api=/v1//Service/frontend-external","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=2924266659/api=/v1//Service/frontend","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=2451423745/api=apps/v1//Deployment/currencyservice","controls":[{"controlID":"C-0017","name":"Immutable container filesystem","rules":[{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]}]},{"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","rules":[{"name":"set-seccomp-profile-RuntimeDefault","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile.type","value":"RuntimeDefault"}}]}]},{"controlID":"C-0050","name":"Resources CPU limit and request","rules":[{"name":"resources-cpu-limit-and-request","status":"passed","controlConfigurations":{"cpu_limit_max":[],"cpu_limit_min":[],"cpu_request_max":[],"cpu_request_min":[]}}]},{"controlID":"C-0006","name":"Allowed hostPath","rules":[{"name":"alert-rw-hostpath","status":"passed"}]},{"controlID":"C-0078","name":"Images from allowed registry","rules":[{"name":"container-image-repository","status":"failed","paths":[{"failedPath":"spec.template.spec.containers[0].image","fixPath":{"path":"","value":""}}],"controlConfigurations":{"imageRepositoryAllowList":["ecr.*amazonaws.com",".*.gcr.io",".*azurecr.io"]}}]},{"controlID":"C-0038","name":"Host PID/IPC privileges","rules":[{"name":"host-pid-ipc-privileges","status":"passed"}]},{"controlID":"C-0001","name":"Forbidden Container Registries","rules":[{"name":"rule-identify-blocklisted-image-registries","status":"passed","controlConfigurations":{"publicRegistries":["quay.io","registry.hub.docker.com"],"untrustedRegistries":[]}}]},{"controlID":"C-0004","name":"Resources memory limit and request","rules":[{"name":"resources-memory-limit-and-request","status":"passed","controlConfigurations":{"memory_limit_max":[],"memory_limit_min":[],"memory_request_max":[],"memory_request_min":[]}}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-wl-v1","status":"passed"}]},{"controlID":"C-0076","name":"Label usage for resources","rules":[{"name":"label-usage-for-resources","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"recommendedLabels":["app","tier","phase","version","owner","env"]}}]},{"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","rules":[{"name":"rule-secrets-in-env-var","status":"passed"}]},{"controlID":"C-0048","name":"HostPath mount","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0016","name":"Allow privilege escalation","rules":[{"name":"rule-allow-privilege-escalation","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0046","name":"Insecure capabilities","rules":[{"name":"insecure-capabilities","status":"passed","controlConfigurations":{"insecureCapabilities":["SETPCAP","NET_ADMIN","NET_RAW","SYS_MODULE","SYS_RAWIO","SYS_PTRACE","SYS_ADMIN","SYS_BOOT","MAC_OVERRIDE","MAC_ADMIN","PERFMON","ALL","BPF"]}}]},{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0012","name":"Applications credentials in configuration files","rules":[{"name":"rule-credentials-in-env-var","status":"passed","controlConfigurations":{"sensitiveKeyNames":["aws_access_key_id","aws_secret_access_key","azure_batchai_storage_account","azure_batchai_storage_key","azure_batch_account","azure_batch_key","secret","key","password","pwd","token","jwt","bearer","credential"],"sensitiveValuesAllowed":[]}}]},{"controlID":"C-0020","name":"Mount service principal","rules":[{"name":"alert-any-hostpath","status":"passed"}]},{"controlID":"C-0056","name":"Configured liveness probe","rules":[{"name":"configured-liveness-probe","status":"passed"}]},{"controlID":"C-0057","name":"Privileged container","rules":[{"name":"rule-privilege-escalation","status":"passed"}]},{"controlID":"C-0075","name":"Image pull policy on latest tag","rules":[{"name":"image-pull-policy-is-not-set-to-always","status":"passed"}]},{"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","rules":[{"name":"rule-privilege-escalation","status":"passed"},{"name":"immutable-container-filesystem","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem","value":"true"}}]},{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]},{"name":"drop-capability-netraw","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.capabilities.drop","value":"NET_RAW"}}]},{"name":"set-seLinuxOptions","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seLinuxOptions","value":"YOUR_VALUE"}}]},{"name":"set-seccomp-profile","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.seccompProfile","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0077","name":"K8s common labels usage","rules":[{"name":"K8s common labels usage","status":"failed","paths":[{"fixPath":{"path":"metadata.labels","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.metadata.labels","value":"YOUR_VALUE"}}],"controlConfigurations":{"k8sRecommendedLabels":["app.kubernetes.io/name","app.kubernetes.io/instance","app.kubernetes.io/version","app.kubernetes.io/component","app.kubernetes.io/part-of","app.kubernetes.io/managed-by","app.kubernetes.io/created-by"]}}]},{"controlID":"C-0041","name":"HostNetwork access","rules":[{"name":"host-network-access","status":"passed"}]},{"controlID":"C-0018","name":"Configured readiness probe","rules":[{"name":"configured-readiness-probe","status":"passed"}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"passed"}]},{"controlID":"C-0013","name":"Non-root containers","rules":[{"name":"non-root-containers","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0062","name":"Sudo in container entrypoint","rules":[{"name":"sudo-in-container-entrypoint","status":"passed"}]},{"controlID":"C-0074","name":"Containers mounting Docker socket","rules":[{"name":"containers-mounting-docker-socket","status":"passed"}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0061","name":"Pods in default namespace","rules":[{"name":"pods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]},{"controlID":"C-0044","name":"Container hostPort","rules":[{"name":"container-hostPort","status":"passed"}]},{"controlID":"C-0030","name":"Ingress and Egress blocked","rules":[{"name":"ingress-and-egress-blocked","status":"failed"}]},{"controlID":"C-0055","name":"Linux hardening","rules":[{"name":"linux-hardening","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.containers[0].seccompProfile","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].seLinuxOptions","value":"YOUR_VALUE"}},{"fixPath":{"path":"spec.template.spec.containers[0].capabilities.drop","value":"YOUR_VALUE"}}]}]},{"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","rules":[{"name":"CVE-2022-0492","status":"failed","paths":[{"fixPath":{"path":"spec.template.spec.securityContext.runAsNonRoot","value":"true"}},{"fixPath":{"path":"spec.template.spec.securityContext.allowPrivilegeEscalation","value":"false"}}]}]},{"controlID":"C-0009","name":"Resource limits","rules":[{"name":"resource-policies","status":"passed"}]},{"controlID":"C-0045","name":"Writable hostPath mount","rules":[{"name":"alert-rw-hostpath","status":"passed"}]}],"prioritizedResource":{"resourceID":"path=2451423745/api=apps/v1//Deployment/currencyservice","priorityVector":[{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":165,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":110.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0055","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0016","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0013","category":"Privilege escalation","tags":["security","compliance"]}],"score":99.00000000000001,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0086","category":"Privilege escalation","tags":["security","compliance"]}],"score":66,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0078","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":82.5,"severity":2},{"attackTrackName":"container","type":"control","vector":[{"controlID":"C-0078","category":"Initial access","tags":["security","compliance"]},{"controlID":"C-0017","category":"Execution","tags":["security","compliance"]},{"controlID":"C-0017","category":"Persistence","tags":["security","compliance"]}],"score":49.50000000000001,"severity":2}],"score":1012,"severity":2}},{"resourceID":"/kubescape/ServiceAccount/kubescape-discovery/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles/path=1644445903/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding","controls":[{"controlID":"C-0002","name":"Exec into container","rules":[{"name":"exec-into-container-v1","status":"passed"}]},{"controlID":"C-0063","name":"Portforwarding privileges","rules":[{"name":"rule-can-portforward-v1","status":"passed"}]},{"controlID":"C-0037","name":"CoreDNS poisoning","rules":[{"name":"rule-can-update-configmap-v1","status":"passed"}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-subject-v1","status":"passed"}]},{"controlID":"C-0015","name":"List Kubernetes secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0031","name":"Delete Kubernetes events","rules":[{"name":"rule-can-delete-k8s-events-v1","status":"passed"}]},{"controlID":"CIS-5.1.8","name":"Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster","rules":[{"name":"rule-can-bind-escalate","status":"passed"},{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"CIS-5.1.2","name":"Minimize access to secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"CIS-5.1.4","name":"Minimize access to create pods","rules":[{"name":"rule-can-create-pod","status":"passed"}]},{"controlID":"C-0065","name":"No impersonation","rules":[{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"C-0007","name":"Data Destruction","rules":[{"name":"rule-excessive-delete-rights-v1","status":"passed"}]},{"controlID":"C-0053","name":"Access container service account","rules":[{"name":"access-container-service-account-v1","status":"failed"}]},{"controlID":"C-0035","name":"Cluster-admin binding","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]},{"controlID":"CIS-5.1.1","name":"Ensure that the cluster-admin role is only used where required","rules":[{"name":"cluster-admin-role","status":"passed"}]},{"controlID":"CIS-5.1.3","name":"Minimize wildcard use in Roles and ClusterRoles","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]}]},{"resourceID":"/kubescape/ServiceAccount/kubescape-discovery/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRole/kubescape-discovery-clusterroles/path=3591976602/api=rbac.authorization.k8s.io/v1//ClusterRoleBinding/kubescape-discovery-role-binding","controls":[{"controlID":"C-0002","name":"Exec into container","rules":[{"name":"exec-into-container-v1","status":"passed"}]},{"controlID":"C-0063","name":"Portforwarding privileges","rules":[{"name":"rule-can-portforward-v1","status":"passed"}]},{"controlID":"C-0037","name":"CoreDNS poisoning","rules":[{"name":"rule-can-update-configmap-v1","status":"passed"}]},{"controlID":"C-0014","name":"Access Kubernetes dashboard","rules":[{"name":"rule-access-dashboard-subject-v1","status":"passed"}]},{"controlID":"C-0015","name":"List Kubernetes secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"C-0031","name":"Delete Kubernetes events","rules":[{"name":"rule-can-delete-k8s-events-v1","status":"passed"}]},{"controlID":"CIS-5.1.8","name":"Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster","rules":[{"name":"rule-can-bind-escalate","status":"passed"},{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"CIS-5.1.2","name":"Minimize access to secrets","rules":[{"name":"rule-can-list-get-secrets-v1","status":"failed","paths":[{"failedPath":"relatedObjects[1].rules[0].resources[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].verbs[1]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[1].rules[0].apiGroups[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].subjects[0]","fixPath":{"path":"","value":""}},{"failedPath":"relatedObjects[0].roleRef.name","fixPath":{"path":"","value":""}}]}]},{"controlID":"CIS-5.1.4","name":"Minimize access to create pods","rules":[{"name":"rule-can-create-pod","status":"passed"}]},{"controlID":"C-0065","name":"No impersonation","rules":[{"name":"rule-can-impersonate-users-groups-v1","status":"passed"}]},{"controlID":"C-0007","name":"Data Destruction","rules":[{"name":"rule-excessive-delete-rights-v1","status":"passed"}]},{"controlID":"C-0053","name":"Access container service account","rules":[{"name":"access-container-service-account-v1","status":"failed"}]},{"controlID":"C-0035","name":"Cluster-admin binding","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]},{"controlID":"CIS-5.1.1","name":"Ensure that the cluster-admin role is only used where required","rules":[{"name":"cluster-admin-role","status":"passed"}]},{"controlID":"CIS-5.1.3","name":"Minimize wildcard use in Roles and ClusterRoles","rules":[{"name":"rule-list-all-cluster-admins-v1","status":"passed"}]}]},{"resourceID":"path=1966984206/api=/v1//Service/redis-cart","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]},{"resourceID":"path=1644445903/api=/v1//Namespace/kubescape","controls":[{"controlID":"CIS-5.2.12","name":"Minimize the admission of HostPath volumes","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0060","name":"Namespace without service accounts","rules":[{"name":"namespace-without-service-account","status":"passed"}]},{"controlID":"CIS-5.2.5","name":"Minimize the admission of containers wishing to share the host network namespace","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0054","name":"Cluster internal networking","rules":[{"name":"internal-networking","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.2","name":"Minimize the admission of privileged containers","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.13","name":"Minimize the admission of containers which use HostPorts","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.7","name":"Minimize the admission of root containers","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.11","name":"Minimize the admission of Windows HostProcess Containers","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.3.2","name":"Ensure that all Namespaces have Network Policies defined","rules":[{"name":"internal-networking","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.1.5","name":"Ensure that default service accounts are not actively used","rules":[{"name":"namespace-without-service-account","status":"passed"}]},{"controlID":"CIS-5.2.9","name":"Minimize the admission of containers with added capabilities","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.10","name":"Minimize the admission of containers with capabilities assigned","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.6","name":"Minimize the admission of containers with allowPrivilegeEscalation","rules":[{"name":"pod-security-admission-restricted-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.7.1","name":"Create administrative boundaries between resources using namespaces","rules":[{"name":"list-all-namespaces","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.8","name":"Minimize the admission of containers with the NET_RAW capability","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.4","name":"Minimize the admission of containers wishing to share the host IPC namespace","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"C-0049","name":"Network mapping","rules":[{"name":"internal-networking","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.3","name":"Minimize the admission of containers wishing to share the host process ID namespace","rules":[{"name":"pod-security-admission-baseline-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]},{"controlID":"CIS-5.2.1","name":"Ensure that the cluster has at least one active policy control mechanism in place","rules":[{"name":"pod-security-admission-applied","status":"failed","exception":[{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]},{"guid":"","name":"exclude-kubescape-resources-0","attributes":{"systemException":true},"policyType":"postureExceptionPolicy","creationTime":"","actions":["alertOnly"],"resources":[{"designatorType":"Attributes","attributes":{"kind":"Namespace","name":"kubescape"}}],"posturePolicies":[{"frameworkName":""}]}]}]}]},{"resourceID":"path=1644445903/api=/v1/kubescape/ServiceAccount/kubescape-discovery","controls":[{"controlID":"C-0034","name":"Automatic mapping of service account","rules":[{"name":"automount-service-account","status":"failed","paths":[{"fixPath":{"path":"automountServiceAccountToken","value":"false"}}]}]},{"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","rules":[{"name":"automount-service-account","status":"failed","paths":[{"fixPath":{"path":"automountServiceAccountToken","value":"false"}}]}]},{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"passed"}]}]},{"resourceID":"path=2686782197/api=/v1//Service/recommendationservice","controls":[{"controlID":"CIS-5.7.4","name":"The default namespace should not be used","rules":[{"name":"resources-notpods-in-default-namespace","status":"failed","paths":[{"fixPath":{"path":"metadata.namespace","value":"YOUR_NAMESPACE"}}]}]}]}],"summaryDetails":{"controls":{"C-0001":{"statusInfo":{"status":"failed"},"controlID":"C-0001","name":"Forbidden Container Registries","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":12,"failedResources":1,"excludedResources":2},"score":6.6666665,"scoreFactor":7},"C-0002":{"statusInfo":{"status":"passed"},"controlID":"C-0002","name":"Exec into container","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0004":{"statusInfo":{"status":"passed"},"controlID":"C-0004","name":"Resources memory limit and request","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0005":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0005","name":"Control plane hardening","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":9},"C-0006":{"statusInfo":{"status":"failed"},"controlID":"C-0006","name":"Allowed hostPath","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":6},"C-0007":{"statusInfo":{"status":"passed"},"controlID":"C-0007","name":"Data Destruction","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0009":{"statusInfo":{"status":"passed"},"controlID":"C-0009","name":"Resource limits","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0012":{"statusInfo":{"status":"passed"},"controlID":"C-0012","name":"Applications credentials in configuration files","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0013":{"statusInfo":{"status":"failed"},"controlID":"C-0013","name":"Non-root containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0014":{"statusInfo":{"status":"passed"},"controlID":"C-0014","name":"Access Kubernetes dashboard","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":21,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"C-0015":{"statusInfo":{"status":"failed"},"controlID":"C-0015","name":"List Kubernetes secrets","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":6,"excludedResources":0},"score":100,"scoreFactor":7},"C-0016":{"statusInfo":{"status":"failed"},"controlID":"C-0016","name":"Allow privilege escalation","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0017":{"statusInfo":{"status":"failed"},"controlID":"C-0017","name":"Immutable container filesystem","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":12,"excludedResources":2},"score":80,"scoreFactor":3},"C-0018":{"statusInfo":{"status":"failed"},"controlID":"C-0018","name":"Configured readiness probe","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":3},"C-0020":{"statusInfo":{"status":"passed"},"controlID":"C-0020","name":"Mount service principal","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0021":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0021","name":"Exposed sensitive interfaces","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0026":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0026","name":"Kubernetes CronJob","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":1},"C-0030":{"statusInfo":{"status":"failed"},"controlID":"C-0030","name":"Ingress and Egress blocked","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0031":{"statusInfo":{"status":"passed"},"controlID":"C-0031","name":"Delete Kubernetes events","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0034":{"statusInfo":{"status":"failed"},"controlID":"C-0034","name":"Automatic mapping of service account","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":2,"excludedResources":2},"score":11.111111,"scoreFactor":6},"C-0035":{"statusInfo":{"status":"passed"},"controlID":"C-0035","name":"Cluster-admin binding","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0036":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0036","name":"Malicious admission controller (validating)","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"C-0037":{"statusInfo":{"status":"passed"},"controlID":"C-0037","name":"CoreDNS poisoning","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0038":{"statusInfo":{"status":"failed"},"controlID":"C-0038","name":"Host PID/IPC privileges","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":7},"C-0039":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0039","name":"Malicious admission controller (mutating)","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0041":{"statusInfo":{"status":"failed"},"controlID":"C-0041","name":"HostNetwork access","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":7},"C-0042":{"statusInfo":{"status":"passed"},"controlID":"C-0042","name":"SSH server running inside container","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"C-0044":{"statusInfo":{"status":"failed"},"controlID":"C-0044","name":"Container hostPort","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":4},"C-0045":{"statusInfo":{"status":"failed"},"controlID":"C-0045","name":"Writable hostPath mount","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":8},"C-0046":{"statusInfo":{"status":"passed"},"controlID":"C-0046","name":"Insecure capabilities","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0047":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0047","name":"Exposed dashboard","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0048":{"statusInfo":{"status":"passed"},"controlID":"C-0048","name":"HostPath mount","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0049":{"statusInfo":{"status":"failed"},"controlID":"C-0049","name":"Network mapping","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":3},"C-0050":{"statusInfo":{"status":"passed"},"controlID":"C-0050","name":"Resources CPU limit and request","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0053":{"statusInfo":{"status":"failed"},"controlID":"C-0053","name":"Access container service account","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":4,"excludedResources":0},"score":100,"scoreFactor":6},"C-0054":{"statusInfo":{"status":"failed"},"controlID":"C-0054","name":"Cluster internal networking","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"C-0055":{"statusInfo":{"status":"failed"},"controlID":"C-0055","name":"Linux hardening","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":4},"C-0056":{"statusInfo":{"status":"failed"},"controlID":"C-0056","name":"Configured liveness probe","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":13,"failedResources":2,"excludedResources":0},"score":13.333333,"scoreFactor":4},"C-0057":{"statusInfo":{"status":"failed"},"controlID":"C-0057","name":"Privileged container","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":8},"C-0058":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0058","name":"CVE-2021-25741 - Using symlink for arbitrary host file system access.","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0059":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0059","name":"CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0060":{"statusInfo":{"status":"failed"},"controlID":"C-0060","name":"Namespace without service accounts","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":2,"failedResources":1,"excludedResources":0},"score":33.333332,"scoreFactor":4},"C-0061":{"statusInfo":{"status":"failed"},"controlID":"C-0061","name":"Pods in default namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":3,"failedResources":12,"excludedResources":0},"score":80,"scoreFactor":3},"C-0062":{"statusInfo":{"status":"passed"},"controlID":"C-0062","name":"Sudo in container entrypoint","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0063":{"statusInfo":{"status":"passed"},"controlID":"C-0063","name":"Portforwarding privileges","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0065":{"statusInfo":{"status":"passed"},"controlID":"C-0065","name":"No impersonation","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0066":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0066","name":"Secret/ETCD encryption enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0067":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0067","name":"Audit logs enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0068":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0068","name":"PSP enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":1},"C-0069":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0069","name":"Disable anonymous access to Kubelet service","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":10},"C-0070":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0070","name":"Enforce Kubelet client TLS authentication","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":9},"C-0073":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0073","name":"Naked PODs","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"C-0074":{"statusInfo":{"status":"passed"},"controlID":"C-0074","name":"Containers mounting Docker socket","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0075":{"statusInfo":{"status":"passed"},"controlID":"C-0075","name":"Image pull policy on latest tag","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"C-0076":{"statusInfo":{"status":"failed"},"controlID":"C-0076","name":"Label usage for resources","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":2,"failedResources":13,"excludedResources":0},"score":86.666664,"scoreFactor":2},"C-0077":{"statusInfo":{"status":"failed"},"controlID":"C-0077","name":"K8s common labels usage","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":2},"C-0078":{"statusInfo":{"status":"failed"},"controlID":"C-0078","name":"Images from allowed registry","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":5},"C-0079":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0079","name":"CVE-2022-0185-linux-kernel-container-escape","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0081":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0081","name":"CVE-2022-24348-argocddirtraversal","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0083":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0083","name":"Workloads with Critical vulnerabilities exposed to external traffic","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0084":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0084","name":"Workloads with RCE vulnerabilities exposed to external traffic","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0085":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0085","name":"Workloads with excessive amount of vulnerabilities","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0086":{"statusInfo":{"status":"failed"},"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":12,"excludedResources":2},"score":80,"scoreFactor":4},"C-0087":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0087","name":"CVE-2022-23648-containerd-fs-escape","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0088":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0088","name":"RBAC enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0089":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0089","name":"CVE-2022-3172-aggregated-API-server-redirect","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.1.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.1","name":"Ensure that the API server pod specification file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.10":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.10","name":"Ensure that the Container Network Interface file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.11":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.11","name":"Ensure that the etcd data directory permissions are set to 700 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.1.12":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.12","name":"Ensure that the etcd data directory ownership is set to etcd:etcd","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.1.13":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.13","name":"Ensure that the admin.conf file permissions are set to 600","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.1.14":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.14","name":"Ensure that the admin.conf file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.1.15":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.15","name":"Ensure that the scheduler.conf file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.16":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.16","name":"Ensure that the scheduler.conf file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.17":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.17","name":"Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.18":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.18","name":"Ensure that the controller-manager.conf file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.19":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.19","name":"Ensure that the Kubernetes PKI directory and file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.1.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.2","name":"Ensure that the API server pod specification file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.20":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.20","name":"Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.1.21":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.21","name":"Ensure that the Kubernetes PKI key file permissions are set to 600","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.1.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.3","name":"Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.4","name":"Ensure that the controller manager pod specification file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.5","name":"Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.6","name":"Ensure that the scheduler pod specification file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.7","name":"Ensure that the etcd pod specification file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.8":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.8","name":"Ensure that the etcd pod specification file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.9":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.9","name":"Ensure that the Container Network Interface file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.2.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.1","name":"Ensure that the API Server --anonymous-auth argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.10":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.10","name":"Ensure that the admission control plugin AlwaysAdmit is not set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.11":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.11","name":"Ensure that the admission control plugin AlwaysPullImages is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.12":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.12","name":"Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.13":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.13","name":"Ensure that the admission control plugin ServiceAccount is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.2.14":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.14","name":"Ensure that the admission control plugin NamespaceLifecycle is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.2.15":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.15","name":"Ensure that the admission control plugin NodeRestriction is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.16":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.16","name":"Ensure that the API Server --secure-port argument is not set to 0","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.17":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.17","name":"Ensure that the API Server --profiling argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.2.18":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.18","name":"Ensure that the API Server --audit-log-path argument is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.19":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.19","name":"Ensure that the API Server --audit-log-maxage argument is set to 30 or as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.2","name":"Ensure that the API Server --token-auth-file parameter is not set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.20":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.20","name":"Ensure that the API Server --audit-log-maxbackup argument is set to 10 or as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.21":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.21","name":"Ensure that the API Server --audit-log-maxsize argument is set to 100 or as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.22":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.22","name":"Ensure that the API Server --request-timeout argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.23":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.23","name":"Ensure that the API Server --service-account-lookup argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.2.24":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.24","name":"Ensure that the API Server --service-account-key-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-1.2.25":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.25","name":"Ensure that the API Server --etcd-certfile and --etcd-keyfile arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.26":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.26","name":"Ensure that the API Server --tls-cert-file and --tls-private-key-file arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.27":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.27","name":"Ensure that the API Server --client-ca-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.28":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.28","name":"Ensure that the API Server --etcd-cafile argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.29":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.29","name":"Ensure that the API Server --encryption-provider-config argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.3","name":"Ensure that the API Server --DenyServiceExternalIPs is not set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.30":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.30","name":"Ensure that encryption providers are appropriately configured","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.31":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.31","name":"Ensure that the API Server only makes use of Strong Cryptographic Ciphers","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-1.2.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.4","name":"Ensure that the API Server --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.5","name":"Ensure that the API Server --kubelet-certificate-authority argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.6","name":"Ensure that the API Server --authorization-mode argument is not set to AlwaysAllow","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.7","name":"Ensure that the API Server --authorization-mode argument includes Node","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-1.2.8":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.8","name":"Ensure that the API Server --authorization-mode argument includes RBAC","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.9":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.9","name":"Ensure that the admission control plugin EventRateLimit is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.3.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.1","name":"Ensure that the Controller Manager --terminated-pod-gc-threshold argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.3.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.2","name":"Ensure that the Controller Manager --profiling argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.3.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.3","name":"Ensure that the Controller Manager --use-service-account-credentials argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.3.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.4","name":"Ensure that the Controller Manager --service-account-private-key-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.3.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.5","name":"Ensure that the Controller Manager --root-ca-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.3.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.6","name":"Ensure that the Controller Manager RotateKubeletServerCertificate argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.3.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.7","name":"Ensure that the Controller Manager --bind-address argument is set to 127.0.0.1","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-1.4.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.4.1","name":"Ensure that the Scheduler --profiling argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.4.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.4.2","name":"Ensure that the Scheduler --bind-address argument is set to 127.0.0.1","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-2.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.1","name":"Ensure that the --cert-file and --key-file arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-2.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.2","name":"Ensure that the --client-cert-auth argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-2.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.3","name":"Ensure that the --auto-tls argument is not set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-2.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.4","name":"Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-2.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.5","name":"Ensure that the --peer-client-cert-auth argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-2.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.6","name":"Ensure that the --peer-auto-tls argument is not set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-2.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.7","name":"Ensure that a unique Certificate Authority is used for etcd","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-4.1.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.1","name":"Ensure that the kubelet service file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.10":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.10","name":"If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.1.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.2","name":"Ensure that the kubelet service file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.3","name":"If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.4","name":"If proxy kubeconfig file exists ensure ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.5","name":"Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.6","name":"Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.7","name":"Ensure that the certificate authorities file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.1.8":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.8","name":"Ensure that the client certificate authorities file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.1.9":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.9","name":"If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.2.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.1","name":"Ensure that the --anonymous-auth argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.2.10":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.10","name":"Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.2.11":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.11","name":"Ensure that the --rotate-certificates argument is not set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.2.12":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.12","name":"Verify that the RotateKubeletServerCertificate argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.2.13":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.13","name":"Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-4.2.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.2","name":"Ensure that the --authorization-mode argument is not set to AlwaysAllow","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.2.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.3","name":"Ensure that the --client-ca-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.2.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.4","name":"Verify that the --read-only-port argument is set to 0","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-4.2.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.5","name":"Ensure that the --streaming-connection-idle-timeout argument is not set to 0","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-4.2.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.6","name":"Ensure that the --protect-kernel-defaults argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"CIS-4.2.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.7","name":"Ensure that the --make-iptables-util-chains argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-4.2.8":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.8","name":"Ensure that the --hostname-override argument is not set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-4.2.9":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.9","name":"Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"CIS-5.1.1":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.1.1","name":"Ensure that the cluster-admin role is only used where required","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":5,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-5.1.2":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.1.2","name":"Minimize access to secrets","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":6,"excludedResources":0},"score":100,"scoreFactor":6},"CIS-5.1.3":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.1.3","name":"Minimize wildcard use in Roles and ClusterRoles","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-5.1.4":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.1.4","name":"Minimize access to create pods","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-5.1.5":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.1.5","name":"Ensure that default service accounts are not actively used","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":2,"failedResources":1,"excludedResources":0},"score":33.333332,"scoreFactor":5},"CIS-5.1.6":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":2,"excludedResources":2},"score":11.111111,"scoreFactor":5},"CIS-5.1.8":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.1.8","name":"Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-5.2.1":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.1","name":"Ensure that the cluster has at least one active policy control mechanism in place","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"CIS-5.2.10":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.10","name":"Minimize the admission of containers with capabilities assigned","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.2.11":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.11","name":"Minimize the admission of Windows HostProcess Containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":7},"CIS-5.2.12":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.12","name":"Minimize the admission of HostPath volumes","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":6},"CIS-5.2.13":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.13","name":"Minimize the admission of containers which use HostPorts","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"CIS-5.2.2":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.2","name":"Minimize the admission of privileged containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":8},"CIS-5.2.3":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.3","name":"Minimize the admission of containers wishing to share the host process ID namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.2.4":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.4","name":"Minimize the admission of containers wishing to share the host IPC namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.2.5":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.5","name":"Minimize the admission of containers wishing to share the host network namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.2.6":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.6","name":"Minimize the admission of containers with allowPrivilegeEscalation","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":6},"CIS-5.2.7":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.7","name":"Minimize the admission of root containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":6},"CIS-5.2.8":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.8","name":"Minimize the admission of containers with the NET_RAW capability","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":6},"CIS-5.2.9":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.9","name":"Minimize the admission of containers with added capabilities","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.3.2":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.3.2","name":"Ensure that all Namespaces have Network Policies defined","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"CIS-5.4.1":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-5.7.1":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.7.1","name":"Create administrative boundaries between resources using namespaces","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.7.2":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":4},"CIS-5.7.3":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":8},"CIS-5.7.4":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.7.4","name":"The default namespace should not be used","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":7,"failedResources":27,"excludedResources":0},"score":79.411766,"scoreFactor":4}},"status":"failed","frameworks":[{"controls":{"C-0004":{"statusInfo":{"status":"passed"},"controlID":"C-0004","name":"Resources memory limit and request","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0018":{"statusInfo":{"status":"failed"},"controlID":"C-0018","name":"Configured readiness probe","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":3},"C-0044":{"statusInfo":{"status":"failed"},"controlID":"C-0044","name":"Container hostPort","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":4},"C-0050":{"statusInfo":{"status":"passed"},"controlID":"C-0050","name":"Resources CPU limit and request","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0056":{"statusInfo":{"status":"failed"},"controlID":"C-0056","name":"Configured liveness probe","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":13,"failedResources":2,"excludedResources":0},"score":13.333333,"scoreFactor":4},"C-0061":{"statusInfo":{"status":"failed"},"controlID":"C-0061","name":"Pods in default namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":3,"failedResources":12,"excludedResources":0},"score":80,"scoreFactor":3},"C-0073":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0073","name":"Naked PODs","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"C-0074":{"statusInfo":{"status":"passed"},"controlID":"C-0074","name":"Containers mounting Docker socket","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0075":{"statusInfo":{"status":"passed"},"controlID":"C-0075","name":"Image pull policy on latest tag","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"C-0076":{"statusInfo":{"status":"failed"},"controlID":"C-0076","name":"Label usage for resources","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":2,"failedResources":13,"excludedResources":0},"score":86.666664,"scoreFactor":2},"C-0077":{"statusInfo":{"status":"failed"},"controlID":"C-0077","name":"K8s common labels usage","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":2}},"name":"DevOpsBest","status":"failed","version":"","ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":16.747967},{"controls":{"C-0001":{"statusInfo":{"status":"failed"},"controlID":"C-0001","name":"Forbidden Container Registries","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":12,"failedResources":1,"excludedResources":2},"score":6.6666665,"scoreFactor":7},"C-0002":{"statusInfo":{"status":"passed"},"controlID":"C-0002","name":"Exec into container","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0005":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0005","name":"Control plane hardening","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":9},"C-0006":{"statusInfo":{"status":"failed"},"controlID":"C-0006","name":"Allowed hostPath","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":6},"C-0009":{"statusInfo":{"status":"passed"},"controlID":"C-0009","name":"Resource limits","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0012":{"statusInfo":{"status":"passed"},"controlID":"C-0012","name":"Applications credentials in configuration files","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0013":{"statusInfo":{"status":"failed"},"controlID":"C-0013","name":"Non-root containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0016":{"statusInfo":{"status":"failed"},"controlID":"C-0016","name":"Allow privilege escalation","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0017":{"statusInfo":{"status":"failed"},"controlID":"C-0017","name":"Immutable container filesystem","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":12,"excludedResources":2},"score":80,"scoreFactor":3},"C-0030":{"statusInfo":{"status":"failed"},"controlID":"C-0030","name":"Ingress and Egress blocked","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0034":{"statusInfo":{"status":"failed"},"controlID":"C-0034","name":"Automatic mapping of service account","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":2,"excludedResources":2},"score":11.111111,"scoreFactor":6},"C-0035":{"statusInfo":{"status":"passed"},"controlID":"C-0035","name":"Cluster-admin binding","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0038":{"statusInfo":{"status":"failed"},"controlID":"C-0038","name":"Host PID/IPC privileges","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":7},"C-0041":{"statusInfo":{"status":"failed"},"controlID":"C-0041","name":"HostNetwork access","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":7},"C-0044":{"statusInfo":{"status":"failed"},"controlID":"C-0044","name":"Container hostPort","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":4},"C-0046":{"statusInfo":{"status":"passed"},"controlID":"C-0046","name":"Insecure capabilities","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0047":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0047","name":"Exposed dashboard","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0049":{"statusInfo":{"status":"failed"},"controlID":"C-0049","name":"Network mapping","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":3},"C-0054":{"statusInfo":{"status":"failed"},"controlID":"C-0054","name":"Cluster internal networking","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"C-0055":{"statusInfo":{"status":"failed"},"controlID":"C-0055","name":"Linux hardening","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":4},"C-0057":{"statusInfo":{"status":"failed"},"controlID":"C-0057","name":"Privileged container","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":8},"C-0058":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0058","name":"CVE-2021-25741 - Using symlink for arbitrary host file system access.","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0059":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0059","name":"CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0060":{"statusInfo":{"status":"failed"},"controlID":"C-0060","name":"Namespace without service accounts","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":2,"failedResources":1,"excludedResources":0},"score":33.333332,"scoreFactor":4},"C-0061":{"statusInfo":{"status":"failed"},"controlID":"C-0061","name":"Pods in default namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":3,"failedResources":12,"excludedResources":0},"score":80,"scoreFactor":3},"C-0062":{"statusInfo":{"status":"passed"},"controlID":"C-0062","name":"Sudo in container entrypoint","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0063":{"statusInfo":{"status":"passed"},"controlID":"C-0063","name":"Portforwarding privileges","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0065":{"statusInfo":{"status":"passed"},"controlID":"C-0065","name":"No impersonation","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0066":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0066","name":"Secret/ETCD encryption enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0067":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0067","name":"Audit logs enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0068":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0068","name":"PSP enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":1},"C-0069":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0069","name":"Disable anonymous access to Kubelet service","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":10},"C-0070":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0070","name":"Enforce Kubelet client TLS authentication","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":9},"C-0078":{"statusInfo":{"status":"failed"},"controlID":"C-0078","name":"Images from allowed registry","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":5},"C-0079":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0079","name":"CVE-2022-0185-linux-kernel-container-escape","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0081":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0081","name":"CVE-2022-24348-argocddirtraversal","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0083":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0083","name":"Workloads with Critical vulnerabilities exposed to external traffic","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0084":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0084","name":"Workloads with RCE vulnerabilities exposed to external traffic","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0085":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0085","name":"Workloads with excessive amount of vulnerabilities","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0086":{"statusInfo":{"status":"failed"},"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":12,"excludedResources":2},"score":80,"scoreFactor":4},"C-0087":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0087","name":"CVE-2022-23648-containerd-fs-escape","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0089":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0089","name":"CVE-2022-3172-aggregated-API-server-redirect","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3}},"name":"ArmoBest","status":"failed","version":"","ResourceCounters":{"passedResources":7,"failedResources":16,"excludedResources":4},"score":29.317932},{"controls":{"C-0002":{"statusInfo":{"status":"passed"},"controlID":"C-0002","name":"Exec into container","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0007":{"statusInfo":{"status":"passed"},"controlID":"C-0007","name":"Data Destruction","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0012":{"statusInfo":{"status":"passed"},"controlID":"C-0012","name":"Applications credentials in configuration files","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0014":{"statusInfo":{"status":"passed"},"controlID":"C-0014","name":"Access Kubernetes dashboard","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":21,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"C-0015":{"statusInfo":{"status":"failed"},"controlID":"C-0015","name":"List Kubernetes secrets","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":6,"excludedResources":0},"score":100,"scoreFactor":7},"C-0020":{"statusInfo":{"status":"passed"},"controlID":"C-0020","name":"Mount service principal","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0021":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0021","name":"Exposed sensitive interfaces","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0026":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0026","name":"Kubernetes CronJob","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":1},"C-0031":{"statusInfo":{"status":"passed"},"controlID":"C-0031","name":"Delete Kubernetes events","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0035":{"statusInfo":{"status":"passed"},"controlID":"C-0035","name":"Cluster-admin binding","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0036":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0036","name":"Malicious admission controller (validating)","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"C-0037":{"statusInfo":{"status":"passed"},"controlID":"C-0037","name":"CoreDNS poisoning","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0039":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0039","name":"Malicious admission controller (mutating)","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0042":{"statusInfo":{"status":"passed"},"controlID":"C-0042","name":"SSH server running inside container","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"C-0045":{"statusInfo":{"status":"failed"},"controlID":"C-0045","name":"Writable hostPath mount","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":8},"C-0047":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0047","name":"Exposed dashboard","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0048":{"statusInfo":{"status":"passed"},"controlID":"C-0048","name":"HostPath mount","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0053":{"statusInfo":{"status":"failed"},"controlID":"C-0053","name":"Access container service account","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":4,"excludedResources":0},"score":100,"scoreFactor":6},"C-0054":{"statusInfo":{"status":"failed"},"controlID":"C-0054","name":"Cluster internal networking","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"C-0057":{"statusInfo":{"status":"failed"},"controlID":"C-0057","name":"Privileged container","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":8},"C-0058":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0058","name":"CVE-2021-25741 - Using symlink for arbitrary host file system access.","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0059":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0059","name":"CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0066":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0066","name":"Secret/ETCD encryption enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0067":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0067","name":"Audit logs enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0068":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0068","name":"PSP enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":1},"C-0069":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0069","name":"Disable anonymous access to Kubelet service","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":10},"C-0070":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0070","name":"Enforce Kubelet client TLS authentication","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":9}},"name":"MITRE","status":"failed","version":"","ResourceCounters":{"passedResources":15,"failedResources":8,"excludedResources":2},"score":10.858586},{"controls":{"CIS-1.1.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.1","name":"Ensure that the API server pod specification file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.10":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.10","name":"Ensure that the Container Network Interface file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.11":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.11","name":"Ensure that the etcd data directory permissions are set to 700 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.1.12":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.12","name":"Ensure that the etcd data directory ownership is set to etcd:etcd","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.1.13":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.13","name":"Ensure that the admin.conf file permissions are set to 600","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.1.14":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.14","name":"Ensure that the admin.conf file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.1.15":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.15","name":"Ensure that the scheduler.conf file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.16":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.16","name":"Ensure that the scheduler.conf file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.17":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.17","name":"Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.18":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.18","name":"Ensure that the controller-manager.conf file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.19":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.19","name":"Ensure that the Kubernetes PKI directory and file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.1.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.2","name":"Ensure that the API server pod specification file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.20":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.20","name":"Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.1.21":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.21","name":"Ensure that the Kubernetes PKI key file permissions are set to 600","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.1.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.3","name":"Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.4","name":"Ensure that the controller manager pod specification file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.5","name":"Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.6","name":"Ensure that the scheduler pod specification file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.7","name":"Ensure that the etcd pod specification file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.8":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.8","name":"Ensure that the etcd pod specification file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.1.9":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.1.9","name":"Ensure that the Container Network Interface file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.2.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.1","name":"Ensure that the API Server --anonymous-auth argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.10":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.10","name":"Ensure that the admission control plugin AlwaysAdmit is not set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.11":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.11","name":"Ensure that the admission control plugin AlwaysPullImages is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.12":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.12","name":"Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.13":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.13","name":"Ensure that the admission control plugin ServiceAccount is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.2.14":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.14","name":"Ensure that the admission control plugin NamespaceLifecycle is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.2.15":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.15","name":"Ensure that the admission control plugin NodeRestriction is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.16":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.16","name":"Ensure that the API Server --secure-port argument is not set to 0","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.17":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.17","name":"Ensure that the API Server --profiling argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.2.18":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.18","name":"Ensure that the API Server --audit-log-path argument is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.19":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.19","name":"Ensure that the API Server --audit-log-maxage argument is set to 30 or as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.2","name":"Ensure that the API Server --token-auth-file parameter is not set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.20":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.20","name":"Ensure that the API Server --audit-log-maxbackup argument is set to 10 or as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.21":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.21","name":"Ensure that the API Server --audit-log-maxsize argument is set to 100 or as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.22":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.22","name":"Ensure that the API Server --request-timeout argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.23":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.23","name":"Ensure that the API Server --service-account-lookup argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.2.24":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.24","name":"Ensure that the API Server --service-account-key-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-1.2.25":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.25","name":"Ensure that the API Server --etcd-certfile and --etcd-keyfile arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.26":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.26","name":"Ensure that the API Server --tls-cert-file and --tls-private-key-file arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.27":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.27","name":"Ensure that the API Server --client-ca-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.28":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.28","name":"Ensure that the API Server --etcd-cafile argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.29":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.29","name":"Ensure that the API Server --encryption-provider-config argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.3","name":"Ensure that the API Server --DenyServiceExternalIPs is not set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.2.30":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.30","name":"Ensure that encryption providers are appropriately configured","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.31":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.31","name":"Ensure that the API Server only makes use of Strong Cryptographic Ciphers","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-1.2.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.4","name":"Ensure that the API Server --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.5","name":"Ensure that the API Server --kubelet-certificate-authority argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.6","name":"Ensure that the API Server --authorization-mode argument is not set to AlwaysAllow","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.2.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.7","name":"Ensure that the API Server --authorization-mode argument includes Node","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-1.2.8":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.8","name":"Ensure that the API Server --authorization-mode argument includes RBAC","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-1.2.9":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.2.9","name":"Ensure that the admission control plugin EventRateLimit is set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.3.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.1","name":"Ensure that the Controller Manager --terminated-pod-gc-threshold argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.3.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.2","name":"Ensure that the Controller Manager --profiling argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.3.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.3","name":"Ensure that the Controller Manager --use-service-account-credentials argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-1.3.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.4","name":"Ensure that the Controller Manager --service-account-private-key-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.3.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.5","name":"Ensure that the Controller Manager --root-ca-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-1.3.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.6","name":"Ensure that the Controller Manager RotateKubeletServerCertificate argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-1.3.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.3.7","name":"Ensure that the Controller Manager --bind-address argument is set to 127.0.0.1","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-1.4.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.4.1","name":"Ensure that the Scheduler --profiling argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-1.4.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-1.4.2","name":"Ensure that the Scheduler --bind-address argument is set to 127.0.0.1","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-2.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.1","name":"Ensure that the --cert-file and --key-file arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-2.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.2","name":"Ensure that the --client-cert-auth argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-2.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.3","name":"Ensure that the --auto-tls argument is not set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-2.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.4","name":"Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-2.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.5","name":"Ensure that the --peer-client-cert-auth argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-2.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.6","name":"Ensure that the --peer-auto-tls argument is not set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-2.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-2.7","name":"Ensure that a unique Certificate Authority is used for etcd","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-4.1.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.1","name":"Ensure that the kubelet service file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.10":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.10","name":"If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.1.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.2","name":"Ensure that the kubelet service file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.3","name":"If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.4","name":"If proxy kubeconfig file exists ensure ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.5","name":"Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.6","name":"Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.1.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.7","name":"Ensure that the certificate authorities file permissions are set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.1.8":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.8","name":"Ensure that the client certificate authorities file ownership is set to root:root","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.1.9":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.1.9","name":"If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.2.1":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.1","name":"Ensure that the --anonymous-auth argument is set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.2.10":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.10","name":"Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-4.2.11":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.11","name":"Ensure that the --rotate-certificates argument is not set to false","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.2.12":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.12","name":"Verify that the RotateKubeletServerCertificate argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.2.13":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.13","name":"Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-4.2.2":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.2","name":"Ensure that the --authorization-mode argument is not set to AlwaysAllow","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.2.3":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.3","name":"Ensure that the --client-ca-file argument is set as appropriate","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-4.2.4":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.4","name":"Verify that the --read-only-port argument is set to 0","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-4.2.5":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.5","name":"Ensure that the --streaming-connection-idle-timeout argument is not set to 0","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-4.2.6":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.6","name":"Ensure that the --protect-kernel-defaults argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"CIS-4.2.7":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.7","name":"Ensure that the --make-iptables-util-chains argument is set to true","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-4.2.8":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.8","name":"Ensure that the --hostname-override argument is not set","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"CIS-4.2.9":{"statusInfo":{"status":"irrelevant"},"controlID":"CIS-4.2.9","name":"Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"CIS-5.1.1":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.1.1","name":"Ensure that the cluster-admin role is only used where required","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":5,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"CIS-5.1.2":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.1.2","name":"Minimize access to secrets","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":6,"excludedResources":0},"score":100,"scoreFactor":6},"CIS-5.1.3":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.1.3","name":"Minimize wildcard use in Roles and ClusterRoles","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"CIS-5.1.4":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.1.4","name":"Minimize access to create pods","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"CIS-5.1.5":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.1.5","name":"Ensure that default service accounts are not actively used","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":2,"failedResources":1,"excludedResources":0},"score":33.333332,"scoreFactor":5},"CIS-5.1.6":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.1.6","name":"Ensure that Service Account Tokens are only mounted where necessary","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":2,"excludedResources":2},"score":11.111111,"scoreFactor":5},"CIS-5.1.8":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.1.8","name":"Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"CIS-5.2.1":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.1","name":"Ensure that the cluster has at least one active policy control mechanism in place","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"CIS-5.2.10":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.10","name":"Minimize the admission of containers with capabilities assigned","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.2.11":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.11","name":"Minimize the admission of Windows HostProcess Containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":7},"CIS-5.2.12":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.12","name":"Minimize the admission of HostPath volumes","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":6},"CIS-5.2.13":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.13","name":"Minimize the admission of containers which use HostPorts","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"CIS-5.2.2":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.2","name":"Minimize the admission of privileged containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":8},"CIS-5.2.3":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.3","name":"Minimize the admission of containers wishing to share the host process ID namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.2.4":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.4","name":"Minimize the admission of containers wishing to share the host IPC namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.2.5":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.5","name":"Minimize the admission of containers wishing to share the host network namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.2.6":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.6","name":"Minimize the admission of containers with allowPrivilegeEscalation","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":6},"CIS-5.2.7":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.7","name":"Minimize the admission of root containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":6},"CIS-5.2.8":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.8","name":"Minimize the admission of containers with the NET_RAW capability","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":6},"CIS-5.2.9":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.2.9","name":"Minimize the admission of containers with added capabilities","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.3.2":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.3.2","name":"Ensure that all Namespaces have Network Policies defined","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"CIS-5.4.1":{"statusInfo":{"status":"passed"},"controlID":"CIS-5.4.1","name":"Prefer using secrets as files over secrets as environment variables","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"CIS-5.7.1":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.7.1","name":"Create administrative boundaries between resources using namespaces","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":5},"CIS-5.7.2":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.7.2","name":"Ensure that the seccomp profile is set to docker/default in your pod definitions","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":4},"CIS-5.7.3":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.7.3","name":"Apply Security Context to Your Pods and Containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":8},"CIS-5.7.4":{"statusInfo":{"status":"failed"},"controlID":"CIS-5.7.4","name":"The default namespace should not be used","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":7,"failedResources":27,"excludedResources":0},"score":79.411766,"scoreFactor":4}},"name":"CIS","status":"failed","version":"","ResourceCounters":{"passedResources":2,"failedResources":37,"excludedResources":4},"score":43.612335},{"controls":{"C-0002":{"statusInfo":{"status":"passed"},"controlID":"C-0002","name":"Exec into container","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0005":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0005","name":"Control plane hardening","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":9},"C-0006":{"statusInfo":{"status":"failed"},"controlID":"C-0006","name":"Allowed hostPath","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":6},"C-0009":{"statusInfo":{"status":"passed"},"controlID":"C-0009","name":"Resource limits","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0012":{"statusInfo":{"status":"passed"},"controlID":"C-0012","name":"Applications credentials in configuration files","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0013":{"statusInfo":{"status":"failed"},"controlID":"C-0013","name":"Non-root containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0016":{"statusInfo":{"status":"failed"},"controlID":"C-0016","name":"Allow privilege escalation","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0017":{"statusInfo":{"status":"failed"},"controlID":"C-0017","name":"Immutable container filesystem","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":12,"excludedResources":2},"score":80,"scoreFactor":3},"C-0030":{"statusInfo":{"status":"failed"},"controlID":"C-0030","name":"Ingress and Egress blocked","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0034":{"statusInfo":{"status":"failed"},"controlID":"C-0034","name":"Automatic mapping of service account","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":2,"excludedResources":2},"score":11.111111,"scoreFactor":6},"C-0035":{"statusInfo":{"status":"passed"},"controlID":"C-0035","name":"Cluster-admin binding","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0038":{"statusInfo":{"status":"failed"},"controlID":"C-0038","name":"Host PID/IPC privileges","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":7},"C-0041":{"statusInfo":{"status":"failed"},"controlID":"C-0041","name":"HostNetwork access","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":7},"C-0044":{"statusInfo":{"status":"failed"},"controlID":"C-0044","name":"Container hostPort","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":4},"C-0046":{"statusInfo":{"status":"passed"},"controlID":"C-0046","name":"Insecure capabilities","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0047":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0047","name":"Exposed dashboard","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0054":{"statusInfo":{"status":"failed"},"controlID":"C-0054","name":"Cluster internal networking","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"C-0055":{"statusInfo":{"status":"failed"},"controlID":"C-0055","name":"Linux hardening","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":4},"C-0057":{"statusInfo":{"status":"failed"},"controlID":"C-0057","name":"Privileged container","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":8},"C-0058":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0058","name":"CVE-2021-25741 - Using symlink for arbitrary host file system access.","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0059":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0059","name":"CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0066":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0066","name":"Secret/ETCD encryption enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0067":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0067","name":"Audit logs enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0068":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0068","name":"PSP enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":1},"C-0069":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0069","name":"Disable anonymous access to Kubelet service","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":10},"C-0070":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0070","name":"Enforce Kubelet client TLS authentication","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":9}},"name":"NSA","status":"failed","version":"","ResourceCounters":{"passedResources":7,"failedResources":16,"excludedResources":4},"score":26.9876},{"controls":{"C-0001":{"statusInfo":{"status":"failed"},"controlID":"C-0001","name":"Forbidden Container Registries","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":12,"failedResources":1,"excludedResources":2},"score":6.6666665,"scoreFactor":7},"C-0002":{"statusInfo":{"status":"passed"},"controlID":"C-0002","name":"Exec into container","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0004":{"statusInfo":{"status":"passed"},"controlID":"C-0004","name":"Resources memory limit and request","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0005":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0005","name":"Control plane hardening","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":9},"C-0006":{"statusInfo":{"status":"failed"},"controlID":"C-0006","name":"Allowed hostPath","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":6},"C-0007":{"statusInfo":{"status":"passed"},"controlID":"C-0007","name":"Data Destruction","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0009":{"statusInfo":{"status":"passed"},"controlID":"C-0009","name":"Resource limits","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0012":{"statusInfo":{"status":"passed"},"controlID":"C-0012","name":"Applications credentials in configuration files","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0013":{"statusInfo":{"status":"failed"},"controlID":"C-0013","name":"Non-root containers","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0014":{"statusInfo":{"status":"passed"},"controlID":"C-0014","name":"Access Kubernetes dashboard","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":21,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"C-0015":{"statusInfo":{"status":"failed"},"controlID":"C-0015","name":"List Kubernetes secrets","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":6,"excludedResources":0},"score":100,"scoreFactor":7},"C-0016":{"statusInfo":{"status":"failed"},"controlID":"C-0016","name":"Allow privilege escalation","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0017":{"statusInfo":{"status":"failed"},"controlID":"C-0017","name":"Immutable container filesystem","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":12,"excludedResources":2},"score":80,"scoreFactor":3},"C-0018":{"statusInfo":{"status":"failed"},"controlID":"C-0018","name":"Configured readiness probe","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":3},"C-0020":{"statusInfo":{"status":"passed"},"controlID":"C-0020","name":"Mount service principal","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0021":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0021","name":"Exposed sensitive interfaces","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0026":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0026","name":"Kubernetes CronJob","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":1},"C-0030":{"statusInfo":{"status":"failed"},"controlID":"C-0030","name":"Ingress and Egress blocked","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":6},"C-0031":{"statusInfo":{"status":"passed"},"controlID":"C-0031","name":"Delete Kubernetes events","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0034":{"statusInfo":{"status":"failed"},"controlID":"C-0034","name":"Automatic mapping of service account","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":2,"excludedResources":2},"score":11.111111,"scoreFactor":6},"C-0035":{"statusInfo":{"status":"passed"},"controlID":"C-0035","name":"Cluster-admin binding","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0036":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0036","name":"Malicious admission controller (validating)","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"C-0037":{"statusInfo":{"status":"passed"},"controlID":"C-0037","name":"CoreDNS poisoning","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0038":{"statusInfo":{"status":"failed"},"controlID":"C-0038","name":"Host PID/IPC privileges","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":7},"C-0039":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0039","name":"Malicious admission controller (mutating)","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0041":{"statusInfo":{"status":"failed"},"controlID":"C-0041","name":"HostNetwork access","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":7},"C-0042":{"statusInfo":{"status":"passed"},"controlID":"C-0042","name":"SSH server running inside container","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"C-0044":{"statusInfo":{"status":"failed"},"controlID":"C-0044","name":"Container hostPort","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":4},"C-0045":{"statusInfo":{"status":"failed"},"controlID":"C-0045","name":"Writable hostPath mount","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":8},"C-0046":{"statusInfo":{"status":"passed"},"controlID":"C-0046","name":"Insecure capabilities","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0047":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0047","name":"Exposed dashboard","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0048":{"statusInfo":{"status":"passed"},"controlID":"C-0048","name":"HostPath mount","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0049":{"statusInfo":{"status":"failed"},"controlID":"C-0049","name":"Network mapping","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":3},"C-0050":{"statusInfo":{"status":"passed"},"controlID":"C-0050","name":"Resources CPU limit and request","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0053":{"statusInfo":{"status":"failed"},"controlID":"C-0053","name":"Access container service account","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":4,"excludedResources":0},"score":100,"scoreFactor":6},"C-0054":{"statusInfo":{"status":"failed"},"controlID":"C-0054","name":"Cluster internal networking","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":1,"excludedResources":2},"score":33.333332,"scoreFactor":4},"C-0055":{"statusInfo":{"status":"failed"},"controlID":"C-0055","name":"Linux hardening","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":4},"C-0056":{"statusInfo":{"status":"failed"},"controlID":"C-0056","name":"Configured liveness probe","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":13,"failedResources":2,"excludedResources":0},"score":13.333333,"scoreFactor":4},"C-0057":{"statusInfo":{"status":"failed"},"controlID":"C-0057","name":"Privileged container","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":14,"failedResources":1,"excludedResources":0},"score":6.6666665,"scoreFactor":8},"C-0058":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0058","name":"CVE-2021-25741 - Using symlink for arbitrary host file system access.","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0059":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0059","name":"CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0060":{"statusInfo":{"status":"failed"},"controlID":"C-0060","name":"Namespace without service accounts","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":2,"failedResources":1,"excludedResources":0},"score":33.333332,"scoreFactor":4},"C-0061":{"statusInfo":{"status":"failed"},"controlID":"C-0061","name":"Pods in default namespace","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":3,"failedResources":12,"excludedResources":0},"score":80,"scoreFactor":3},"C-0062":{"statusInfo":{"status":"passed"},"controlID":"C-0062","name":"Sudo in container entrypoint","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0063":{"statusInfo":{"status":"passed"},"controlID":"C-0063","name":"Portforwarding privileges","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0065":{"statusInfo":{"status":"passed"},"controlID":"C-0065","name":"No impersonation","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":6,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0066":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0066","name":"Secret/ETCD encryption enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0067":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0067","name":"Audit logs enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0068":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0068","name":"PSP enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":1},"C-0069":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0069","name":"Disable anonymous access to Kubelet service","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":10},"C-0070":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0070","name":"Enforce Kubelet client TLS authentication","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":9},"C-0073":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0073","name":"Naked PODs","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":3},"C-0074":{"statusInfo":{"status":"passed"},"controlID":"C-0074","name":"Containers mounting Docker socket","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":5},"C-0075":{"statusInfo":{"status":"passed"},"controlID":"C-0075","name":"Image pull policy on latest tag","status":"passed","resourceIDs":{},"ResourceCounters":{"passedResources":15,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":2},"C-0076":{"statusInfo":{"status":"failed"},"controlID":"C-0076","name":"Label usage for resources","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":2,"failedResources":13,"excludedResources":0},"score":86.666664,"scoreFactor":2},"C-0077":{"statusInfo":{"status":"failed"},"controlID":"C-0077","name":"K8s common labels usage","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":2},"C-0078":{"statusInfo":{"status":"failed"},"controlID":"C-0078","name":"Images from allowed registry","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":13,"excludedResources":2},"score":86.666664,"scoreFactor":5},"C-0079":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0079","name":"CVE-2022-0185-linux-kernel-container-escape","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0081":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0081","name":"CVE-2022-24348-argocddirtraversal","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":4},"C-0083":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0083","name":"Workloads with Critical vulnerabilities exposed to external traffic","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0084":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0084","name":"Workloads with RCE vulnerabilities exposed to external traffic","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":8},"C-0085":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0085","name":"Workloads with excessive amount of vulnerabilities","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":6},"C-0086":{"statusInfo":{"status":"failed"},"controlID":"C-0086","name":"CVE-2022-0492-cgroups-container-escape","status":"failed","resourceIDs":{},"ResourceCounters":{"passedResources":1,"failedResources":12,"excludedResources":2},"score":80,"scoreFactor":4},"C-0087":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0087","name":"CVE-2022-23648-containerd-fs-escape","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7},"C-0088":{"statusInfo":{"status":"irrelevant"},"controlID":"C-0088","name":"RBAC enabled","status":"irrelevant","resourceIDs":{},"ResourceCounters":{"passedResources":0,"failedResources":0,"excludedResources":0},"score":0,"scoreFactor":7}},"name":"AllControls","status":"failed","version":"","ResourceCounters":{"passedResources":2,"failedResources":22,"excludedResources":4},"score":23.911491}],"severityCounters":{"criticalSeverity":0,"highSeverity":26,"mediumSeverity":151,"lowSeverity":52},"ResourceCounters":{"passedResources":3,"failedResources":37,"excludedResources":4},"score":28.733154},"paginationInfo":{"chunkNumber":0,"isLastChunk":false}}