This topic lists the built-in rules for Kubernetes hardening policies in alphabetical order.
Built-in Rules
| Rule Name | Description | Category |
|---|---|---|
| Access to host namespace | Access to the host's network, PID, and IPC namespace. | Workload Security |
| Access to host path | Limits usage of host directory at the container. | Volume |
| Access to persistent data | Limits use of non-core volume types to those defined through PersistentVolumes. | Volume |
| Additional capabilities | Capabilities turn the binary “root/non-root” dichotomy into a fine-grained access control system. This rule helps to enforce the capabilities being added when running containers. | Workload Security |
| Allow privilege escalation | AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. | Workload Security |
| Allow privileged container | Runs container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. | Workload Security |
| AppArmor | AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program. | Workload Security |
| Cluster role binding | Binds a user or service account to a role in a cluster and all its namespaces. | RBAC |
| Company banned list | Prevents deployment of images with company banned files. | Container Images |
| CPU limits | Distributes CPU across workloads and ensures that a single container cannot bring the system down by exhausting resources. | Quota |
| Critical vulnerabilities | Prevents deployment of images with critical vulnerabilities in OS packages or libraries. | Container Images |
| Deny ephemeral containers | Ephemeral containers help debug workloads with limited tool sets or access by running an ad-hoc container within the pod context. While powerful for an admin, ephemeral containers can be maliciously used by adversaries to gain privileged access to workloads. | Command |
| Deny latest tag | Identifies container images with a "latest" tag. Latest tags make it difficult to track image versions and roll back properly. | Container Images |
| Deny new resources | Identify the deployment of new resources in the associated scope. | Workload Security |
| Deploy new CRD | Extends Kubernetes resources by customizing a particular Kubernetes installation. Once a custom resource is installed, users can create and access its objects using kubectl. | CRD |
| Enforce not root | Containers should be prevented from running with a root primary or supplementary GID. Specifying the user/group ID for the container or setting runAsNonRoot to true should indicate the container must run as a non-root user or group. | Workload Security |
| Exec to container | Kubectl exec allows a user to execute a command in a container. Attackers with permissions could run ‘kubectl exec’ to execute malicious code and compromise resources within a cluster. | Command |
| Host port | Allows workloads to be exposed by a host port. | Network |
| Image not scanned | Identifies workloads with images that have not been scanned within 20 minutes of deployment. | Container Images |
| Ingress controller | Allows workloads to be exposed by an ingress controller. | Network |
| Known malware | Prevents deployment of images with known malware. | Container Images |
| Load balancer | Allows workloads to be exposed by a load balancer. | Network |
| Memory limits | Distributes memory across workloads and ensures that a single container cannot bring the system down by exhausting resources. | Quota |
| Node port | Allows workloads to be exposed by a node port. | Network |
| Port forward | Kubectl port-forward allows you to bypass the cluster's perimeter security and interact directly with internal Kubernetes cluster processes from your localhost. | Command |
| Require hash tags | Identify container images with named tags. Hash tags are required to prevent issues with overwritten named tags | Container Images |
| Role binding | Binds a user or service account to a role in a namespace. | RBAC |
| SecComp profile | The seccomp options to be used by this container. If seccomp options are provided at both the pod and container level, the container options override the pod options. | Workload Security |
| Secret found | Prevents deployment of images that have secrets. | Container Images |
| SeLinux | The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. | Workload Security |
| Sysctl | Sysctls holds a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. | Workload Security |
| Unmasked proc mount | ProcMount indicates the type of proc mount to use for containers. By default, it uses the container runtime defaults for read-only paths and masked paths. | Workload Security |
| Vulnerabilities with fixes | Prevents deployment of images with medium, high, or critical vulnerabilities–if fixes are available. | Container Images |
| Writable file system | Allows files to be written to the system, which makes it easier for threats to be introduced and persist in your environment. | Workload Security |
Built-in Rules Specification
| Built-in rule name | Elements on which the rule is applied | Expected values (if the value is different, rule violation is triggered) |
|---|---|---|
| Access to host namespace | spec.hostNetwork spec.hostPID spec.hostIPC |
FALSE |
| Access to host path | spec.volumes[*].hostPath | Empty |
| Access to persistent data | spec.volumes[*] | spec.volumes[*].EmptyDir spec.volumes[*].ConfigMap spec.volumes[*].Secrets spec.volumes[*].Ephemeral |
| Additional capabilities | spec.containers[*].securityContext.capabilities.add spec.initContainers[*].securityContext.capabilities.add |
Empty or any of the following: CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_FSETID, CAP_KILL, CAP_SETGID, CAP_SETUID, CAP_SETPCAP, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SYS_CHROOT, CAP_MKNOD, CAP_AUDIT_WRITE, CAP_SETFCAP |
| Allow privilege escalation | spec.containers[*].securityContext.allowPrivilegeEscalation spec.initContainers[*].securityContext.allowPrivilegeEscalation |
false, undefined/nil |
| Allow privileged container | spec.containers[*].securityContext.privileged spec.initContainers[*].securityContext.privileged |
false, undefined/nil |
| AppArmor | metadata.annotations['container.apparmor.security.beta.kubernetes.io/*'] | runtime/default', undefined |
| Cluster role binding | kind: clusterRoleBindings | |
| CPU limits | spec.containers[*].resources.limits.cpu spec.containers[*].resources.requests.cpu |
|
| Critical vulnerabilities | ||
| Deny ephemeral containers | ||
| Deny latest tag | ||
| Deny new resources | ||
| Deploy new CRD | kind: CustomResourceDefinition | |
| Enforce not root | spec.securityContext.runAsNonRoot spec.containers[*].securityContext.runAsNonRoot spec.initContainers[*].securityContext.runAsNonRoot |
TRUE |
| Exec to container | ||
| Host port | spec.containers[*].ports[*].hostPort spec.initContainers[*].ports[*].hostPort |
0, undefined |
| Image not scanned | ||
| Ingress controller | ||
| Known malware | ||
| Load balancer | spec.type.LoadBalancer | metadata.annotations['cloud.google.com/load-balancer-type:internal'] metadata.annotations['service.beta.kubernetes.io/aws-load-balancer-internal:true'] metadata.annotations['service.beta.kubernetes.io/azure-load-balancer-internal:true'] metadata.annotations['service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type:private'] metadata.annotations['service.beta.kubernetes.io/openstack-internal-load-balancer:true'] metadata.annotations['service.beta.kubernetes.io/cce-load-balancer-internal-vpc:true'] metadata.annotations['service.kubernetes.io/qcloud-loadbalancer-internal-subnetid:subnet-xxx'] |
| Memory limits | spec.containers[*].resources.limits.memory spec.containers[*].resources.requests.memory |
|
| Node port | ||
| Port forward | ||
| Require hash tags | ||
| Role binding | kind: roleBinding | |
| SecComp profile | metadata.annotations['seccomp.security.alpha.kubernetes.io/pod*'] spec.securityContext.seccompProfile.type spec.containers[*].securityContext.seccompProfile spec.initContainers[*].securityContext.seccompProfile |
false, undefined/nil |
| Secret found | ||
| SeLinux | spec.securityContext.seLinuxOptions spec.containers[*].securityContext.seLinuxOptions spec.initContainers[*].securityContext.seLinuxOptions |
undefined/nil |
| Sysctl | spec.securityContext.sysctls | kernel.shm_rmid_forced net.ipv4.ip_local_port_range net.ipv4.tcp_syncookies net.ipv4.ping_group_range undefined/empty |
| Unmasked proc mount | spec.containers[*].securityContext.procMount spec.initContainers[*].securityContext.procMount |
undefined/nil, 'Default' |
| Vulnerabilities with fixes | ||
| Writable file system | spec.containers[*].securityContext.readOnlyRootFilesystem spec.initContainers[*].securityContext.readOnlyRootFilesystem |
