Kubernetes Policy Index
How to Use this Page
This page lists the Kubernetes Policies that Bridgecrew helps you enforce. You can browse this page, or search for a specific policy ID or short title. For each policy, press the link for more details about a policy and its fix options.
Do not admit containers wishing to share host process ID namespace
Policy ID: BC_K8_1
Do not admit privileged containers
Policy ID: BC_K8S_2
Do not admit containers wishing to share host IPC namespace
Policy ID: BC_K8S_3
Do not admit containers wishing to share host network namespace
Policy ID: BC_K8S_4
Do not admit root containers
Policy ID: BC_K8S_5
Do not admit containers with NET_RAW capability
Policy ID: BC_K8_6
Ensure liveness probe is configured
Policy ID: BC_K8S_7
Ensure readiness probe is configured
Policy ID: BC_K8S_8
Ensure CPU request is set
Policy ID: BC_K8S_9
Ensure CPU limits are set
Policy ID: BC_K8S_10
Ensure memory requests are set
Policy ID: BC_K8S_11
Ensure memory limits are set
Policy ID: BC_K8S_12
Ensure image tag is set to Fixed - not Latest or Blank
Policy ID: BC_K8S_13
Ensure image pull policy is set to Always
Policy ID: BC_K8S_14
Ensure container is not privileged
Policy ID: BC_K8S_15
Ensure containers do not share host process ID namespace
Policy ID: BC_K8S_16
Ensure containers do not share host IPC namespace
Policy ID: BC_K8S_17
Ensure containers do not share the host network namespace
Policy ID: BC_K8S_18
Ensure containers do not run with AllowPrivilegeEscalation
Policy ID: BC_K8S_19
Ensure default namespace is not used
Policy ID: BC_K8S_20
Use Read-Only filesystem for containers where possible
Policy ID: BC_K8S_21
Minimize admission of root containers
Policy ID: BC_K8S_22
Ensure containers with added capability are not allowed
Policy ID: BC_K8S_23
Ensure admission of containers with added capability is minimized
Policy ID: BC_K8S_24
Do not specify hostPort unless absolutely necessary
Policy ID: BC_K8S_25
Limit mounting Docker socket daemon in a container
Policy ID: BC_K8S_26
Ensure admission of containers with NET_RAW capability is minimized
Policy ID: BC_K8S_27
Ensure securityContext is applied to pods and containers
Policy ID: BC_K8S_28
Ensure seccomp is set to Docker/Default or Runtime/Default
Policy ID: BC_K8S_29
Ensure seccomp profile is set to Docker/Default or Runtime/Default
Policy ID: BC_K8S_30
Ensure Kubernetes dashboard is not deployed
Policy ID: BC_K8S_31
Ensure Tiller (Helm V2) is not deployed
Policy ID: BC_K8S_32
Use secrets as files instead of environment variables
Policy ID: BC_K8S_33
Ensure admission of containers with capabilities assigned is limited
Policy ID: BC_K8S_34
Ensure service account tokens are mounted where necessary
Policy ID: BC_K8S_35
Ensure CAP_SYS_ADMIN Linux capability is not used
Policy ID: BC_K8S_36
Ensure containers run with a high UID to avoid host conflict
Policy ID: BC_K8S_37
Ensure default service accounts are not actively used
Policy ID: BC_K8S_38
Ensure images are selected using a digest
Policy ID: BC_K8S_39
Ensure Tiller (Helm V2) deployment is not accessible from within the cluster
Policy ID: BC_K8S_40
Ensure Tiller (Helm v2) service is deleted
Policy ID: BC_K8S_41
Ensure containers do not run with AllowPrivilegeEscalation
Policy ID: BC_K8S_42
Ensure securityContext is applied to pods and containers
Policy ID: BC_K8S_43
Minimise the admission of containers with capabilities assigned
Policy ID: BC_K8S_44
Ensure default service accounts are not actively used
Policy ID: BC_K8S_45
Ensure the --anonymous-auth argument is set to False
Policy ID: BC_K8S_46
Ensure the --basic-auth-file argument is not Set
Policy ID: BC_K8S_47
Ensure the --token-auth-file argument is not Set
Policy ID: BC_K8S_48
Ensure the --kubelet-https argument is set to True
Policy ID: BC_K8S_49
Ensure the --kubelet-client-certificate and --kubelet-client-key arguments are set appropriately
Policy ID: BC_K8S_50
Ensure the --kubelet-certificate-authority argument is set appropriately
Policy ID: BC_K8S_51
Ensure the --authorization-mode argument is not set to AlwaysAllow
Policy ID: BC_K8S_52
Ensure the --authorization-mode argument includes node
Policy ID: BC_K8S_53
Ensure the --authorization-mode argument includes RBAC
Policy ID: BC_K8S_54
Ensure the admission control plugin EventRateLimit is set
Policy ID: BC_K8S_55
Ensure the admission control plugin AlwaysAdmit is not set
Policy ID: BC_K8S_56
Ensure the admission control plugin AlwaysPullImages is set
Policy ID: BC_K8S_57
Ensure the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
Policy ID: BC_K8S_58
Ensure the admission control plugin ServiceAccount is set
Policy ID: BC_K8S_59
Ensure the admission control plugin NamespaceLifecycle is set
Policy ID: BC_K8S_60
Ensure the admission control plugin PodSecurityPolicy is set
Policy ID: BC_K8S_61
Ensure the admission control plugin NodeRestriction is set
Policy ID: BC_K8S_62
Ensure the --insecure-bind-address argument is not set
Policy ID: BC_K8S_63
Ensure the --insecure-port argument is set to 0
Policy ID: BC_K8S_64
Ensure the --secure-port argument is not set to 0
Policy ID: BC_K8S_65
Ensure the --profiling argument is set to False
Policy ID: BC_K8S_66
Ensure the --audit-log-path argument is set
Policy ID: BC_K8S_67
Ensure the --audit-log-maxage argument is set to 30 or appropriately
Policy ID: BC_K8S_68
Ensure the --audit-log-maxbackup argument is set to 10 or appropriately
Policy ID: BC_K8S_69
Ensure the --audit-log-maxsize argument is set to 100 or appropriately
Policy ID: BC_K8S_70
Ensure the --request-timeout argument is set appropriately
Policy ID: BC_K8S_71
Ensure the --service-account-lookup argument is set to True
Policy ID: BC_K8S_72
Ensure the --service-account-key-file argument is set appropriately
Policy ID: BC_K8S_73
Ensure the --etcd-certfile and --etcd-keyfile arguments are set appropriately
Policy ID: BC_K8S_74
Ensure the --tls-cert-file and --tls-private-key-file arguments are set appropriately
Policy ID: BC_K8S_75
Ensure Kubelet only uses strong cryptographic ciphers
Policy ID: BC_K8S_76
Ensure the --etcd-cafile argument is set appropriately
Policy ID: BC_K8S_77
Ensure encryption providers are appropriately configured
Policy ID: BC_K8S_78
Ensure the API server makes use of strong cryptographic ciphers
Policy ID: BC_K8S_79
Ensure the --terminated-pod-gc-threshold argument for controller managers is set appropriately
Policy ID: BC_K8S_80
Ensure the --profiling argument for controller managers is set to False
Policy ID: BC_K8S_81
Ensure the --use-service-account-credentials argument for controller managers is set to True
Policy ID: BC_K8S_82
Ensure the --service-account-private-key-file argument for controller managers is set appropriately
Policy ID: BC_K8S_83
Ensure the --root-ca-file argument for controller managers is set appropriately
Policy ID: BC_K8S_84
Ensure the RotateKubeletServerCertificate argument for controller managers is set to True
Policy ID: BC_K8S_85
Ensure the --bind-address argument for controller managers is set to 127.0.0.1
Policy ID: BC_K8S_86
Ensure the --profiling argument is set to False
Policy ID: BC_K8S_87
Ensure the --bind-address argument is set to 127.0.0.1
Policy ID: BC_K8S_88
Ensure the --cert-file and --key-file arguments are set appropriately
Policy ID: BC_K8S_89
Ensure the --client-cert-auth argument is set to True
Policy ID: BC_K8S_90
Ensure the --auto-tls argument is not set to True
Policy ID: BC_K8S_91
Ensure the --peer-cert-file and --peer-key-file arguments are set appropriately
Policy ID: BC_K8S_92
Ensure the --peer-client-cert-auth argument is set to True
Policy ID: BC_K8S_93
Ensure the --peer-auto-tls argument is not set to True
Policy ID: BC_K8S_94
Ensure the --anonymous-auth argument is set to False
Policy ID: BC_K8S_95
Ensure the --authorization-mode argument is not set to AlwaysAllow
Policy ID: BC_K8S_96
Ensure the --client-ca-file argument for API Servers is set appropriately
Policy ID: BC_K8S_97
Ensure the --read-only-port argument is set to 0
Policy ID: BC_K8S_98
Ensure the --streaming-connection-idle-timeout argument is not set to 0
Policy ID: BC_K8S_99
Ensure the --protect-kernel-defaults argument is set to True
Policy ID: BC_K8S_100
Ensure the --make-iptables-util-chains argument is set to True
Policy ID: BC_K8S_101
Ensure the --hostname-override argument is not set
Policy ID: BC_K8S_102
Ensure the --event-qps argument is set to 0 or a level that ensures appropriate event capture
Policy ID: BC_K8S_103
Ensure --tls-cert-file and --tls-private-key-file arguments are set appropriately
Policy ID: BC_K8S_104
Ensure the --rotate-certificates argument is not set to false
Policy ID: BC_K8S_105
Ensure the RotateKubeletServerCertificate argument for kubelets is set to True
Policy ID: BC_K8S_106
Ensure minimized wildcard use in Roles and ClusterRoles
Policy ID: BC_K8S_107
RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding
Policy ID: CKV2_K8S_1
Granting create
permissions to nodes/proxy
or pods/exec
sub resources allows potential privilege escalation
Policy ID: CKV2_K8S_2
No ServiceAccount/Node should have impersonate
permissions for groups/users/service-accounts
Policy ID: CKV2_K8S_3
ServiceAccounts and nodes that can modify services/status may set the status.loadBalancer.ingress.ip
field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster
Policy ID: CKV2_K8S_4
No ServiceAccount/Node should be able to read all secrets
Policy ID: Policy ID: CKV2_K8S_5
Updated 12 months ago