This topic lists the built-in rules for Kubernetes hardening policies in alphabetical order.

Built-in Rules

Rule Name Description Category
Access to host namespace Access to the host's network, PID, and IPC namespace. Workload Security
Access to host path Limits usage of host directory at the container. Volume
Access to persistent data Limits use of non-core volume types to those defined through PersistentVolumes. Volume
Additional capabilities Capabilities turn the binary “root/non-root” dichotomy into a fine-grained access control system. This rule helps to enforce the capabilities being added when running containers. Workload Security
Allow privilege escalation AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. Workload Security
Allow privileged container Runs container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Workload Security
AppArmor AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program. Workload Security
Cluster role binding Binds a user or service account to a role in a cluster and all its namespaces. RBAC
Company banned list Prevents deployment of images with company banned files. Container Images
CPU limits Distributes CPU across workloads and ensures that a single container cannot bring the system down by exhausting resources. Quota
Critical vulnerabilities Prevents deployment of images with critical vulnerabilities in OS packages or libraries. Container Images
Deny ephemeral containers Ephemeral containers help debug workloads with limited tool sets or access by running an ad-hoc container within the pod context. While powerful for an admin, ephemeral containers can be maliciously used by adversaries to gain privileged access to workloads. Command
Deny latest tag Identifies container images with a "latest" tag. Latest tags make it difficult to track image versions and roll back properly. Container Images
Deny new resources Identify the deployment of new resources in the associated scope. Workload Security
Deploy new CRD Extends Kubernetes resources by customizing a particular Kubernetes installation. Once a custom resource is installed, users can create and access its objects using kubectl. CRD
Enforce not root Containers should be prevented from running with a root primary or supplementary GID. Specifying the user/group ID for the container or setting runAsNonRoot to true should indicate the container must run as a non-root user or group. Workload Security
Exec to container Kubectl exec allows a user to execute a command in a container. Attackers with permissions could run ‘kubectl exec’ to execute malicious code and compromise resources within a cluster. Command
Host port Allows workloads to be exposed by a host port. Network
Image not scanned Identifies workloads with images that have not been scanned within 20 minutes of deployment. Container Images
Ingress controller Allows workloads to be exposed by an ingress controller. Network
Known malware Prevents deployment of images with known malware. Container Images
Load balancer Allows workloads to be exposed by a load balancer. Network
Memory limits Distributes memory across workloads and ensures that a single container cannot bring the system down by exhausting resources. Quota
Node port Allows workloads to be exposed by a node port. Network
Port forward Kubectl port-forward allows you to bypass the cluster's perimeter security and interact directly with internal Kubernetes cluster processes from your localhost. Command
Require hash tags Identify container images with named tags. Hash tags are required to prevent issues with overwritten named tags Container Images
Role binding Binds a user or service account to a role in a namespace. RBAC
SecComp profile The seccomp options to be used by this container. If seccomp options are provided at both the pod and container level, the container options override the pod options. Workload Security
Secret found Prevents deployment of images that have secrets. Container Images
SeLinux The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. Workload Security
Sysctl Sysctls holds a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Workload Security
Unmasked proc mount ProcMount indicates the type of proc mount to use for containers. By default, it uses the container runtime defaults for read-only paths and masked paths. Workload Security
Vulnerabilities with fixes Prevents deployment of images with medium, high, or critical vulnerabilities–if fixes are available. Container Images
Writable file system Allows files to be written to the system, which makes it easier for threats to be introduced and persist in your environment. Workload Security

Built-in Rules Specification

Built-in rule name Elements on which the rule is applied Expected values (if the value is different, rule violation is triggered)
Access to host namespace

spec.hostNetwork

spec.hostPID

spec.hostIPC

FALSE
Access to host path spec.volumes[*].hostPath Empty
Access to persistent data spec.volumes[*]

spec.volumes[*].EmptyDir

spec.volumes[*].ConfigMap

spec.volumes[*].Secrets

spec.volumes[*].Ephemeral

Additional capabilities

spec.containers[*].securityContext.capabilities.add

spec.initContainers[*].securityContext.capabilities.add

Empty or any of the following:

CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_FSETID, CAP_KILL, CAP_SETGID, CAP_SETUID, CAP_SETPCAP, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SYS_CHROOT, CAP_MKNOD, CAP_AUDIT_WRITE, CAP_SETFCAP

Allow privilege escalation

spec.containers[*].securityContext.allowPrivilegeEscalation

spec.initContainers[*].securityContext.allowPrivilegeEscalation

false, undefined/nil
Allow privileged container

spec.containers[*].securityContext.privileged

spec.initContainers[*].securityContext.privileged

false, undefined/nil
AppArmor metadata.annotations['container.apparmor.security.beta.kubernetes.io/*'] runtime/default', undefined
Cluster role binding kind: clusterRoleBindings
CPU limits

spec.containers[*].resources.limits.cpu

spec.containers[*].resources.requests.cpu

Critical vulnerabilities
Deny ephemeral containers
Deny latest tag
Deny new resources
Deploy new CRD kind: CustomResourceDefinition
Enforce not root

spec.securityContext.runAsNonRoot

spec.containers[*].securityContext.runAsNonRoot

spec.initContainers[*].securityContext.runAsNonRoot

TRUE
Exec to container
Host port

spec.containers[*].ports[*].hostPort

spec.initContainers[*].ports[*].hostPort

0, undefined
Image not scanned
Ingress controller
Known malware
Load balancer spec.type.LoadBalancer

metadata.annotations['cloud.google.com/load-balancer-type:internal']

metadata.annotations['service.beta.kubernetes.io/aws-load-balancer-internal:true']

metadata.annotations['service.beta.kubernetes.io/azure-load-balancer-internal:true']

metadata.annotations['service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type:private']

metadata.annotations['service.beta.kubernetes.io/openstack-internal-load-balancer:true']

metadata.annotations['service.beta.kubernetes.io/cce-load-balancer-internal-vpc:true']

metadata.annotations['service.kubernetes.io/qcloud-loadbalancer-internal-subnetid:subnet-xxx']

Memory limits

spec.containers[*].resources.limits.memory

spec.containers[*].resources.requests.memory

Node port
Port forward
Require hash tags
Role binding kind: roleBinding
SecComp profile

metadata.annotations['seccomp.security.alpha.kubernetes.io/pod*']

spec.securityContext.seccompProfile.type

spec.containers[*].securityContext.seccompProfile

spec.initContainers[*].securityContext.seccompProfile

false, undefined/nil
Secret found
SeLinux

spec.securityContext.seLinuxOptions

spec.containers[*].securityContext.seLinuxOptions

spec.initContainers[*].securityContext.seLinuxOptions

undefined/nil
Sysctl spec.securityContext.sysctls

kernel.shm_rmid_forced

net.ipv4.ip_local_port_range

net.ipv4.tcp_syncookies

net.ipv4.ping_group_range

undefined/empty

Unmasked proc mount

spec.containers[*].securityContext.procMount

spec.initContainers[*].securityContext.procMount

undefined/nil, 'Default'
Vulnerabilities with fixes
Writable file system

spec.containers[*].securityContext.readOnlyRootFilesystem

spec.initContainers[*].securityContext.readOnlyRootFilesystem