PlatformResourcesSign inSign Up

Kubernetes Policy Index

Suggest Edits

How to Use this Page

This page lists the Kubernetes Policies that Bridgecrew helps you enforce. You can browse this page, or search for a specific policy ID or short title. For each policy, press the link for more details about a policy and its fix options.

Do not admit containers wishing to share host process ID namespace
Policy ID: BC_K8_1

Do not admit privileged containers
Policy ID: BC_K8S_2

Do not admit containers wishing to share host IPC namespace
Policy ID: BC_K8S_3

Do not admit containers wishing to share host network namespace
Policy ID: BC_K8S_4

Do not admit root containers
Policy ID: BC_K8S_5

Do not admit containers with NET_RAW capability
Policy ID: BC_K8_6

Ensure liveness probe is configured
Policy ID: BC_K8S_7

Ensure readiness probe is configured
Policy ID: BC_K8S_8

Ensure CPU request is set
Policy ID: BC_K8S_9

Ensure CPU limits are set
Policy ID: BC_K8S_10

Ensure memory requests are set
Policy ID: BC_K8S_11

Ensure memory limits are set
Policy ID: BC_K8S_12

Ensure image tag is set to Fixed - not Latest or Blank
Policy ID: BC_K8S_13

Ensure image pull policy is set to Always
Policy ID: BC_K8S_14

Ensure container is not privileged
Policy ID: BC_K8S_15

Ensure containers do not share host process ID namespace
Policy ID: BC_K8S_16

Ensure containers do not share host IPC namespace
Policy ID: BC_K8S_17

Ensure containers do not share the host network namespace
Policy ID: BC_K8S_18

Ensure containers do not run with AllowPrivilegeEscalation
Policy ID: BC_K8S_19

Ensure default namespace is not used
Policy ID: BC_K8S_20

Use Read-Only filesystem for containers where possible
Policy ID: BC_K8S_21

Minimize admission of root containers
Policy ID: BC_K8S_22

Ensure containers with added capability are not allowed
Policy ID: BC_K8S_23

Ensure admission of containers with added capability is minimized
Policy ID: BC_K8S_24

Do not specify hostPort unless absolutely necessary
Policy ID: BC_K8S_25

Limit mounting Docker socket daemon in a container
Policy ID: BC_K8S_26

Ensure admission of containers with NET_RAW capability is minimized
Policy ID: BC_K8S_27

Ensure securityContext is applied to pods and containers
Policy ID: BC_K8S_28

Ensure seccomp is set to Docker/Default or Runtime/Default
Policy ID: BC_K8S_29

Ensure seccomp profile is set to Docker/Default or Runtime/Default
Policy ID: BC_K8S_30

Ensure Kubernetes dashboard is not deployed
Policy ID: BC_K8S_31

Ensure Tiller (Helm V2) is not deployed
Policy ID: BC_K8S_32

Use secrets as files instead of environment variables
Policy ID: BC_K8S_33

Ensure admission of containers with capabilities assigned is limited
Policy ID: BC_K8S_34

Ensure service account tokens are mounted where necessary
Policy ID: BC_K8S_35

Ensure CAP_SYS_ADMIN Linux capability is not used
Policy ID: BC_K8S_36

Ensure containers run with a high UID to avoid host conflict
Policy ID: BC_K8S_37

Ensure default service accounts are not actively used
Policy ID: BC_K8S_38

Ensure images are selected using a digest
Policy ID: BC_K8S_39

Ensure Tiller (Helm V2) deployment is not accessible from within the cluster
Policy ID: BC_K8S_40

Ensure Tiller (Helm v2) service is deleted
Policy ID: BC_K8S_41

Ensure containers do not run with AllowPrivilegeEscalation
Policy ID: BC_K8S_42

Ensure securityContext is applied to pods and containers
Policy ID: BC_K8S_43

Minimise the admission of containers with capabilities assigned
Policy ID: BC_K8S_44

Ensure default service accounts are not actively used
Policy ID: BC_K8S_45

Ensure the --anonymous-auth argument is set to False
Policy ID: BC_K8S_46

Ensure the --basic-auth-file argument is not Set
Policy ID: BC_K8S_47

Ensure the --token-auth-file argument is not Set
Policy ID: BC_K8S_48

Ensure the --kubelet-https argument is set to True
Policy ID: BC_K8S_49

Ensure the --kubelet-client-certificate and --kubelet-client-key arguments are set appropriately
Policy ID: BC_K8S_50

Ensure the --kubelet-certificate-authority argument is set appropriately
Policy ID: BC_K8S_51

Ensure the --authorization-mode argument is not set to AlwaysAllow
Policy ID: BC_K8S_52

Ensure the --authorization-mode argument includes node
Policy ID: BC_K8S_53

Ensure the --authorization-mode argument includes RBAC
Policy ID: BC_K8S_54

Ensure the admission control plugin EventRateLimit is set
Policy ID: BC_K8S_55

Ensure the admission control plugin AlwaysAdmit is not set
Policy ID: BC_K8S_56

Ensure the admission control plugin AlwaysPullImages is set
Policy ID: BC_K8S_57

Ensure the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
Policy ID: BC_K8S_58

Ensure the admission control plugin ServiceAccount is set
Policy ID: BC_K8S_59

Ensure the admission control plugin NamespaceLifecycle is set
Policy ID: BC_K8S_60

Ensure the admission control plugin PodSecurityPolicy is set
Policy ID: BC_K8S_61

Ensure the admission control plugin NodeRestriction is set
Policy ID: BC_K8S_62

Ensure the --insecure-bind-address argument is not set
Policy ID: BC_K8S_63

Ensure the --insecure-port argument is set to 0
Policy ID: BC_K8S_64

Ensure the --secure-port argument is not set to 0
Policy ID: BC_K8S_65

Ensure the --profiling argument is set to False
Policy ID: BC_K8S_66

Ensure the --audit-log-path argument is set
Policy ID: BC_K8S_67

Ensure the --audit-log-maxage argument is set to 30 or appropriately
Policy ID: BC_K8S_68

Ensure the --audit-log-maxbackup argument is set to 10 or appropriately
Policy ID: BC_K8S_69

Ensure the --audit-log-maxsize argument is set to 100 or appropriately
Policy ID: BC_K8S_70

Ensure the --request-timeout argument is set appropriately
Policy ID: BC_K8S_71

Ensure the --service-account-lookup argument is set to True
Policy ID: BC_K8S_72

Ensure the --service-account-key-file argument is set appropriately
Policy ID: BC_K8S_73

Ensure the --etcd-certfile and --etcd-keyfile arguments are set appropriately
Policy ID: BC_K8S_74

Ensure the --tls-cert-file and --tls-private-key-file arguments are set appropriately
Policy ID: BC_K8S_75

Ensure Kubelet only uses strong cryptographic ciphers
Policy ID: BC_K8S_76

Ensure the --etcd-cafile argument is set appropriately
Policy ID: BC_K8S_77

Ensure encryption providers are appropriately configured
Policy ID: BC_K8S_78

Ensure the API server makes use of strong cryptographic ciphers
Policy ID: BC_K8S_79

Ensure the --terminated-pod-gc-threshold argument for controller managers is set appropriately
Policy ID: BC_K8S_80

Ensure the --profiling argument for controller managers is set to False
Policy ID: BC_K8S_81

Ensure the --use-service-account-credentials argument for controller managers is set to True
Policy ID: BC_K8S_82

Ensure the --service-account-private-key-file argument for controller managers is set appropriately
Policy ID: BC_K8S_83

Ensure the --root-ca-file argument for controller managers is set appropriately
Policy ID: BC_K8S_84

Ensure the RotateKubeletServerCertificate argument for controller managers is set to True
Policy ID: BC_K8S_85

Ensure the --bind-address argument for controller managers is set to 127.0.0.1
Policy ID: BC_K8S_86

Ensure the --profiling argument is set to False
Policy ID: BC_K8S_87

Ensure the --bind-address argument is set to 127.0.0.1
Policy ID: BC_K8S_88

Ensure the --cert-file and --key-file arguments are set appropriately
Policy ID: BC_K8S_89

Ensure the --client-cert-auth argument is set to True
Policy ID: BC_K8S_90

Ensure the --auto-tls argument is not set to True
Policy ID: BC_K8S_91

Ensure the --peer-cert-file and --peer-key-file arguments are set appropriately
Policy ID: BC_K8S_92

Ensure the --peer-client-cert-auth argument is set to True
Policy ID: BC_K8S_93

Ensure the --peer-auto-tls argument is not set to True
Policy ID: BC_K8S_94

Ensure the --anonymous-auth argument is set to False
Policy ID: BC_K8S_95

Ensure the --authorization-mode argument is not set to AlwaysAllow
Policy ID: BC_K8S_96

Ensure the --client-ca-file argument for API Servers is set appropriately
Policy ID: BC_K8S_97

Ensure the --read-only-port argument is set to 0
Policy ID: BC_K8S_98

Ensure the --streaming-connection-idle-timeout argument is not set to 0
Policy ID: BC_K8S_99

Ensure the --protect-kernel-defaults argument is set to True
Policy ID: BC_K8S_100

Ensure the --make-iptables-util-chains argument is set to True
Policy ID: BC_K8S_101

Ensure the --hostname-override argument is not set
Policy ID: BC_K8S_102

Ensure the --event-qps argument is set to 0 or a level that ensures appropriate event capture
Policy ID: BC_K8S_103

Ensure --tls-cert-file and --tls-private-key-file arguments are set appropriately
Policy ID: BC_K8S_104

Ensure the --rotate-certificates argument is not set to false
Policy ID: BC_K8S_105

Ensure the RotateKubeletServerCertificate argument for kubelets is set to True
Policy ID: BC_K8S_106

Ensure minimized wildcard use in Roles and ClusterRoles
Policy ID: BC_K8S_107

RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding

Policy ID: CKV2_K8S_1

Granting create permissions to nodes/proxy or pods/exec sub resources allows potential privilege escalation
Policy ID: CKV2_K8S_2

No ServiceAccount/Node should have impersonate permissions for groups/users/service-accounts
Policy ID: CKV2_K8S_3

ServiceAccounts and nodes that can modify services/status may set the status.loadBalancer.ingress.ip field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster

Policy ID: CKV2_K8S_4

No ServiceAccount/Node should be able to read all secrets

Policy ID: Policy ID: CKV2_K8S_5

Updated 12 months ago