Kubernetes Policy Index

How to Use this Page

This page lists the Kubernetes Policies that Bridgecrew helps you enforce. You can browse this page, or search for a specific policy ID or short title. For each policy, press the link for more details about a policy and its fix options.

Do not admit containers wishing to share host process ID namespace
Policy ID: BC_K8_1

Do not admit privileged containers
Policy ID: BC_K8S_2

Do not admit containers wishing to share host IPC namespace
Policy ID: BC_K8S_3

Do not admit containers wishing to share host network namespace
Policy ID: BC_K8S_4

Do not admit root containers
Policy ID: BC_K8S_5

Do not admit containers with NET_RAW capability
Policy ID: BC_K8_6

Ensure liveness probe is configured
Policy ID: BC_K8S_7

Ensure readiness probe is configured
Policy ID: BC_K8S_8

Ensure CPU request is set
Policy ID: BC_K8S_9

Ensure CPU limits are set
Policy ID: BC_K8S_10

Ensure memory requests are set
Policy ID: BC_K8S_11

Ensure memory limits are set
Policy ID: BC_K8S_12

Ensure image tag is set to Fixed - not Latest or Blank
Policy ID: BC_K8S_13

Ensure image pull policy is set to Always
Policy ID: BC_K8S_14

Ensure container is not privileged
Policy ID: BC_K8S_15

Ensure containers do not share host process ID namespace
Policy ID: BC_K8S_16

Ensure containers do not share host IPC namespace
Policy ID: BC_K8S_17

Ensure containers do not share the host network namespace
Policy ID: BC_K8S_18

Ensure containers do not run with AllowPrivilegeEscalation
Policy ID: BC_K8S_19

Ensure default namespace is not used
Policy ID: BC_K8S_20

Use Read-Only filesystem for containers where possible
Policy ID: BC_K8S_21

Minimize admission of root containers
Policy ID: BC_K8S_22

Ensure containers with added capability are not allowed
Policy ID: BC_K8S_23

Ensure admission of containers with added capability is minimized
Policy ID: BC_K8S_24

Do not specify hostPort unless absolutely necessary
Policy ID: BC_K8S_25

Limit mounting Docker socket daemon in a container
Policy ID: BC_K8S_26

Ensure admission of containers with NET_RAW capability is minimized
Policy ID: BC_K8S_27

Ensure securityContext is applied to pods and containers
Policy ID: BC_K8S_28

Ensure seccomp is set to Docker/Default or Runtime/Default
Policy ID: BC_K8S_29

Ensure seccomp profile is set to Docker/Default or Runtime/Default
Policy ID: BC_K8S_30

Ensure Kubernetes dashboard is not deployed
Policy ID: BC_K8S_31

Ensure Tiller (Helm V2) is not deployed
Policy ID: BC_K8S_32

Use secrets as files instead of environment variables
Policy ID: BC_K8S_33

Ensure admission of containers with capabilities assigned is limited
Policy ID: BC_K8S_34

Ensure service account tokens are mounted where necessary
Policy ID: BC_K8S_35

Ensure CAP_SYS_ADMIN Linux capability is not used
Policy ID: BC_K8S_36

Ensure containers run with a high UID to avoid host conflict
Policy ID: BC_K8S_37

Ensure default service accounts are not actively used
Policy ID: BC_K8S_38

Ensure images are selected using a digest
Policy ID: BC_K8S_39

Ensure Tiller (Helm V2) deployment is not accessible from within the cluster
Policy ID: BC_K8S_40

Ensure Tiller (Helm v2) service is deleted
Policy ID: BC_K8S_41

Ensure containers do not run with AllowPrivilegeEscalation
Policy ID: BC_K8S_42

Ensure securityContext is applied to pods and containers
Policy ID: BC_K8S_43

Minimise the admission of containers with capabilities assigned
Policy ID: BC_K8S_44

Ensure default service accounts are not actively used
Policy ID: BC_K8S_45

Ensure the --anonymous-auth argument is set to False
Policy ID: BC_K8S_46

Ensure the --basic-auth-file argument is not Set
Policy ID: BC_K8S_47

Ensure the --token-auth-file argument is not Set
Policy ID: BC_K8S_48

Ensure the --kubelet-https argument is set to True
Policy ID: BC_K8S_49

Ensure the --kubelet-client-certificate and --kubelet-client-key arguments are set appropriately
Policy ID: BC_K8S_50

Ensure the --kubelet-certificate-authority argument is set appropriately
Policy ID: BC_K8S_51

Ensure the --authorization-mode argument is not set to AlwaysAllow
Policy ID: BC_K8S_52

Ensure the --authorization-mode argument includes node
Policy ID: BC_K8S_53

Ensure the --authorization-mode argument includes RBAC
Policy ID: BC_K8S_54

Ensure the admission control plugin EventRateLimit is set
Policy ID: BC_K8S_55

Ensure the admission control plugin AlwaysAdmit is not set
Policy ID: BC_K8S_56

Ensure the admission control plugin AlwaysPullImages is set
Policy ID: BC_K8S_57

Ensure the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
Policy ID: BC_K8S_58

Ensure the admission control plugin ServiceAccount is set
Policy ID: BC_K8S_59

Ensure the admission control plugin NamespaceLifecycle is set
Policy ID: BC_K8S_60

Ensure the admission control plugin PodSecurityPolicy is set
Policy ID: BC_K8S_61

Ensure the admission control plugin NodeRestriction is set
Policy ID: BC_K8S_62

Ensure the --insecure-bind-address argument is not set
Policy ID: BC_K8S_63

Ensure the --insecure-port argument is set to 0
Policy ID: BC_K8S_64

Ensure the --secure-port argument is not set to 0
Policy ID: BC_K8S_65

Ensure the --profiling argument is set to False
Policy ID: BC_K8S_66

Ensure the --audit-log-path argument is set
Policy ID: BC_K8S_67

Ensure the --audit-log-maxage argument is set to 30 or appropriately
Policy ID: BC_K8S_68

Ensure the --audit-log-maxbackup argument is set to 10 or appropriately
Policy ID: BC_K8S_69

Ensure the --audit-log-maxsize argument is set to 100 or appropriately
Policy ID: BC_K8S_70

Ensure the --request-timeout argument is set appropriately
Policy ID: BC_K8S_71

Ensure the --service-account-lookup argument is set to True
Policy ID: BC_K8S_72

Ensure the --service-account-key-file argument is set appropriately
Policy ID: BC_K8S_73

Ensure the --etcd-certfile and --etcd-keyfile arguments are set appropriately
Policy ID: BC_K8S_74

Ensure the --tls-cert-file and --tls-private-key-file arguments are set appropriately
Policy ID: BC_K8S_75

Ensure Kubelet only uses strong cryptographic ciphers
Policy ID: BC_K8S_76

Ensure the --etcd-cafile argument is set appropriately
Policy ID: BC_K8S_77

Ensure encryption providers are appropriately configured
Policy ID: BC_K8S_78

Ensure the API server makes use of strong cryptographic ciphers
Policy ID: BC_K8S_79

Ensure the --terminated-pod-gc-threshold argument for controller managers is set appropriately
Policy ID: BC_K8S_80

Ensure the --profiling argument for controller managers is set to False
Policy ID: BC_K8S_81

Ensure the --use-service-account-credentials argument for controller managers is set to True
Policy ID: BC_K8S_82

Ensure the --service-account-private-key-file argument for controller managers is set appropriately
Policy ID: BC_K8S_83

Ensure the --root-ca-file argument for controller managers is set appropriately
Policy ID: BC_K8S_84

Ensure the RotateKubeletServerCertificate argument for controller managers is set to True
Policy ID: BC_K8S_85

Ensure the --bind-address argument for controller managers is set to 127.0.0.1
Policy ID: BC_K8S_86

Ensure the --profiling argument is set to False
Policy ID: BC_K8S_87

Ensure the --bind-address argument is set to 127.0.0.1
Policy ID: BC_K8S_88

Ensure the --cert-file and --key-file arguments are set appropriately
Policy ID: BC_K8S_89

Ensure the --client-cert-auth argument is set to True
Policy ID: BC_K8S_90

Ensure the --auto-tls argument is not set to True
Policy ID: BC_K8S_91

Ensure the --peer-cert-file and --peer-key-file arguments are set appropriately
Policy ID: BC_K8S_92

Ensure the --peer-client-cert-auth argument is set to True
Policy ID: BC_K8S_93

Ensure the --peer-auto-tls argument is not set to True
Policy ID: BC_K8S_94

Ensure the --anonymous-auth argument is set to False
Policy ID: BC_K8S_95

Ensure the --authorization-mode argument is not set to AlwaysAllow
Policy ID: BC_K8S_96

Ensure the --client-ca-file argument for API Servers is set appropriately
Policy ID: BC_K8S_97

Ensure the --read-only-port argument is set to 0
Policy ID: BC_K8S_98

Ensure the --streaming-connection-idle-timeout argument is not set to 0
Policy ID: BC_K8S_99

Ensure the --protect-kernel-defaults argument is set to True
Policy ID: BC_K8S_100

Ensure the --make-iptables-util-chains argument is set to True
Policy ID: BC_K8S_101

Ensure the --hostname-override argument is not set
Policy ID: BC_K8S_102

Ensure the --event-qps argument is set to 0 or a level that ensures appropriate event capture
Policy ID: BC_K8S_103

Ensure --tls-cert-file and --tls-private-key-file arguments are set appropriately
Policy ID: BC_K8S_104

Ensure the --rotate-certificates argument is not set to false
Policy ID: BC_K8S_105

Ensure the RotateKubeletServerCertificate argument for kubelets is set to True
Policy ID: BC_K8S_106

Ensure minimized wildcard use in Roles and ClusterRoles
Policy ID: BC_K8S_107

RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding

Policy ID: CKV2_K8S_1

Granting create permissions to nodes/proxy or pods/exec sub resources allows potential privilege escalation
Policy ID: CKV2_K8S_2

No ServiceAccount/Node should have impersonate permissions for groups/users/service-accounts
Policy ID: CKV2_K8S_3

ServiceAccounts and nodes that can modify services/status may set the status.loadBalancer.ingress.ip field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster

Policy ID: CKV2_K8S_4

No ServiceAccount/Node should be able to read all secrets

Policy ID: Policy ID: CKV2_K8S_5