Kubescape Scan Report

Summary

All	Failed	Skipped
65	23	10

Details

Severity	Control Name	Failed Resources	All Resources	Risk Score, %
Critical	API server insecure port is enabled	0	1	0
Critical	CVE-2022-39328-grafana-auth-bypass	0	0	0
Critical	Disable anonymous access to Kubelet service	0	0	0
Critical	Enforce Kubelet client TLS authentication	0	0	0
High	Applications credentials in configuration files	0	43	0
High	CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability	0	0	0
High	CVE-2022-23648-containerd-fs-escape	0	1	0
High	CVE-2022-47633-kyverno-signature-bypass	0	0	0
High	Forbidden Container Registries	0	19	0
High	Host PID/IPC privileges	0	19	0
High	HostNetwork access	0	19	0
High	HostPath mount	0	19	0
High	Insecure capabilities	0	19	0
High	Instance Metadata API	0	0	0
High	List Kubernetes secrets	3	74	4
High	Privileged container	0	19	0
High	RBAC enabled	0	1	0
High	Resource limits	7	19	44
High	Resources CPU limit and request	0	19	0
High	Resources memory limit and request	0	19	0
High	Workloads with Critical vulnerabilities exposed to external traffic	0	0	0
High	Workloads with RCE vulnerabilities exposed to external traffic	0	0	0
High	Writable hostPath mount	0	19	0
Medium	Access container service account	1	46	2
Medium	Allow privilege escalation	4	19	30
Medium	Audit logs enabled	1	1	100
Medium	Automatic mapping of service account	4	62	10
Medium	CVE-2021-25741 - Using symlink for arbitrary host file system access.	0	0	0
Medium	CVE-2022-0185-linux-kernel-container-escape	0	1	0
Medium	CVE-2022-24348-argocddirtraversal	0	0	0
Medium	Cluster internal networking	1	5	20
Medium	Cluster-admin binding	0	74	0
Medium	Configured liveness probe	7	19	44
Medium	Container hostPort	0	19	0
Medium	Containers mounting Docker socket	0	19	0
Medium	CoreDNS poisoning	1	74	1
Medium	Data Destruction	2	74	3
Medium	Delete Kubernetes events	0	74	0
Medium	Exec into container	0	74	0
Medium	Exposed sensitive interfaces	0	0	0
Medium	Images from allowed registry	0	19	0
Medium	Ingress and Egress blocked	7	19	44
Medium	Linux hardening	7	19	44
Medium	Malicious admission controller (mutating)	0	0	0
Medium	Mount service principal	0	19	0
Medium	No impersonation	0	74	0
Medium	Non-root containers	4	19	30
Medium	Portforwarding privileges	0	74	0
Medium	Secret/ETCD encryption enabled	1	1	100
Medium	Sudo in container entrypoint	0	19	0
Medium	Workloads with excessive amount of vulnerabilities	0	0	0
Low	Access Kubernetes dashboard	0	93	0
Low	Configured readiness probe	7	19	44
Low	Image pull policy on latest tag	0	19	0
Low	Immutable container filesystem	4	19	30
Low	K8s common labels usage	5	19	34
Low	Kubernetes CronJob	5	5	100
Low	Label usage for resources	3	19	14
Low	Malicious admission controller (validating)	0	0	0
Low	Naked PODs	0	31	0
Low	Network mapping	1	5	20
Low	PSP enabled	1	1	100
Low	Pods in default namespace	2	19	20
Low	SSH server running inside container	0	1	0

Failed Resources

Name: kubescape

ApiVersion: v1

Kind: Namespace

Name: kubescape

Namespace:

Severity	Name	Docs	Assisted Remediation
Low	Network mapping	C-0049
Medium	Cluster internal networking	C-0054

Name: nginx-1

ApiVersion: apps/v1

Kind: Deployment

Name: nginx-1

Namespace: default

Severity	Name	Docs	Assisted Remediation
Medium	Allow privilege escalation	C-0016

spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false

spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE

spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE

| | Low | Configured readiness probe | C-0018 |

spec.template.spec.containers[0].readinessProbe=YOUR_VALUE

spec.template.spec.containers[0].securityContext.runAsNonRoot=true

spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false

spec.template.spec.automountServiceAccountToken=false

spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE

spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE

spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE

spec.template.spec.containers[0].livenessProbe=YOUR_VALUE

| | Low | K8s common labels usage | C-0077 |

metadata.labels=YOUR_VALUE

spec.template.metadata.labels=YOUR_VALUE

| | Low | Pods in default namespace | C-0061 |

metadata.namespace

| | Low | Immutable container filesystem | C-0017 |

spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true

Name: kubescape-sneeffer-service-account

ApiVersion:

Kind: ServiceAccount

Name: kubescape-sneeffer-service-account

Namespace: default

Severity	Name	Docs	Assisted Remediation
Medium	Access container service account	C-0053

Name: kubescape-sneeffer-service-account

ApiVersion: v1

Kind: ServiceAccount

Name: kubescape-sneeffer-service-account

Namespace: default

Severity	Name	Docs	Assisted Remediation
Medium	Automatic mapping of service account	C-0034

automountServiceAccountToken=false

Name: nginx

ApiVersion: apps/v1

Kind: Deployment

Name: nginx

Namespace: default

Severity	Name	Docs	Assisted Remediation
Medium	Allow privilege escalation	C-0016

spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false

spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE

spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE

| | Low | Configured readiness probe | C-0018 |

spec.template.spec.containers[0].readinessProbe=YOUR_VALUE

spec.template.spec.containers[0].securityContext.runAsNonRoot=true

spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false

spec.template.spec.automountServiceAccountToken=false

spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE

spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE

spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE

spec.template.spec.containers[0].livenessProbe=YOUR_VALUE

| | Low | K8s common labels usage | C-0077 |

metadata.labels=YOUR_VALUE

spec.template.metadata.labels=YOUR_VALUE

| | Low | Pods in default namespace | C-0061 |

metadata.namespace

| | Low | Immutable container filesystem | C-0017 |

spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true

Name: kube-apiserver-dwertent

ApiVersion: v1

Kind: Pod

Name: kube-apiserver-dwertent

Namespace: kube-system

Severity	Name	Docs	Assisted Remediation
Medium	Audit logs enabled	C-0067

spec.containers[0].command

| | Low | PSP enabled | C-0068 |

spec.containers[0].command[5]

spec.containers[0].command

Name: kubescape-sa

ApiVersion:

Kind: ServiceAccount

Name: kubescape-sa

Namespace: kubescape

Severity	Name	Docs	Assisted Remediation
Medium	Data Destruction	C-0007

relatedObjects[1].rules[1].resources[1]

relatedObjects[1].rules[1].verbs[0]

relatedObjects[1].rules[1].apiGroups[0]

relatedObjects[1].rules[1].apiGroups[1]

relatedObjects[0].subjects[0]

relatedObjects[0].roleRef.name

relatedObjects[1].rules[0].resources[0]

relatedObjects[1].rules[0].verbs[0]

relatedObjects[1].rules[0].verbs[1]

relatedObjects[1].rules[0].verbs[3]

relatedObjects[1].rules[0].apiGroups[0]

relatedObjects[0].subjects[0]

relatedObjects[0].roleRef.name

Name: default

ApiVersion: v1

Kind: ServiceAccount

Name: default

Namespace: kubescape

Severity	Name	Docs	Assisted Remediation
Medium	Automatic mapping of service account	C-0034

automountServiceAccountToken=false

Name: kubescape-registry-scan-1809488850697420828

ApiVersion: batch/v1

Kind: CronJob

Name: kubescape-registry-scan-1809488850697420828

Namespace: kubescape

Severity	Name	Docs	Assisted Remediation
Medium	Ingress and Egress blocked	C-0030
High	Resource limits	C-0009

spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE

| | Low | Configured readiness probe | C-0018 |

spec.jobTemplate.spec.template.spec.containers[0].readinessProbe=YOUR_VALUE

| | Low | Kubernetes CronJob | C-0026 | | | Low | Label usage for resources | C-0076 |

spec.jobTemplate.spec.template.metadata.labels=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].livenessProbe=YOUR_VALUE

| | Low | K8s common labels usage | C-0077 |

metadata.labels=YOUR_VALUE

spec.jobTemplate.spec.template.metadata.labels=YOUR_VALUE

Name: kubescape-scheduler

ApiVersion: batch/v1

Kind: CronJob

Name: kubescape-scheduler

Namespace: kubescape

Severity	Name	Docs	Assisted Remediation
Medium	Allow privilege escalation	C-0016

spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false

spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE

| | Low | Configured readiness probe | C-0018 |

spec.jobTemplate.spec.template.spec.containers[0].readinessProbe=YOUR_VALUE

| | Low | Kubernetes CronJob | C-0026 | | | Medium | Non-root containers | C-0013 |

spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsNonRoot=true

spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false

spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].livenessProbe=YOUR_VALUE

| | Low | Immutable container filesystem | C-0017 |

spec.jobTemplate.spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true

Name: ks-sa

ApiVersion:

Kind: ServiceAccount

Name: ks-sa

Namespace: kubescape

Severity	Name	Docs	Assisted Remediation
Medium	Data Destruction	C-0007

relatedObjects[1].rules[1].resources[0]

relatedObjects[1].rules[1].verbs[0]

relatedObjects[1].rules[1].apiGroups[0]

relatedObjects[0].subjects[0]

relatedObjects[0].roleRef.name

relatedObjects[1].rules[2].resources[1]

relatedObjects[1].rules[2].verbs[0]

relatedObjects[1].rules[2].apiGroups[0]

relatedObjects[0].subjects[0]

relatedObjects[0].roleRef.name

relatedObjects[1].rules[2].resources[0]

relatedObjects[1].rules[2].verbs[0]

relatedObjects[1].rules[2].apiGroups[0]

relatedObjects[0].subjects[0]

relatedObjects[0].roleRef.name

relatedObjects[1].rules[0].resources[0]

relatedObjects[1].rules[0].verbs[0]

relatedObjects[1].rules[0].verbs[1]

relatedObjects[1].rules[0].apiGroups[0]

relatedObjects[0].subjects[0]

relatedObjects[0].roleRef.name

relatedObjects[1].rules[2].resources[1]

relatedObjects[1].rules[2].verbs[0]

relatedObjects[1].rules[2].apiGroups[0]

relatedObjects[0].subjects[0]

relatedObjects[0].roleRef.name

Name: ks-scheduled-scan-armobest-1968464821027741247

ApiVersion: batch/v1

Kind: CronJob

Name: ks-scheduled-scan-armobest-1968464821027741247

Namespace: kubescape

Severity	Name	Docs	Assisted Remediation
Medium	Ingress and Egress blocked	C-0030
High	Resource limits	C-0009

spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE

| | Low | Configured readiness probe | C-0018 |

spec.jobTemplate.spec.template.spec.containers[0].readinessProbe=YOUR_VALUE

| | Low | Kubernetes CronJob | C-0026 | | | Low | Label usage for resources | C-0076 |

spec.jobTemplate.spec.template.metadata.labels=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].livenessProbe=YOUR_VALUE

| | Low | K8s common labels usage | C-0077 |

metadata.labels=YOUR_VALUE

spec.jobTemplate.spec.template.metadata.labels=YOUR_VALUE

Name: ks-scheduled-scan-cis-v1-23-t1-0-1-70343785476262573

ApiVersion: batch/v1

Kind: CronJob

Name: ks-scheduled-scan-cis-v1-23-t1-0-1-70343785476262573

Namespace: kubescape

Severity	Name	Docs	Assisted Remediation
Medium	Ingress and Egress blocked	C-0030
High	Resource limits	C-0009

spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE

| | Low | Configured readiness probe | C-0018 |

spec.jobTemplate.spec.template.spec.containers[0].readinessProbe=YOUR_VALUE

| | Low | Kubernetes CronJob | C-0026 | | | Low | Label usage for resources | C-0076 |

spec.jobTemplate.spec.template.metadata.labels=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE

spec.jobTemplate.spec.template.spec.containers[0].livenessProbe=YOUR_VALUE

| | Low | K8s common labels usage | C-0077 |

metadata.labels=YOUR_VALUE

spec.jobTemplate.spec.template.metadata.labels=YOUR_VALUE

Name: ks-sa

ApiVersion:

Kind: ServiceAccount

Name: ks-sa

Namespace: kubescape

Severity	Name	Docs	Assisted Remediation
High	List Kubernetes secrets	C-0015

relatedObjects[1].rules[0].resources[0]

relatedObjects[1].rules[0].verbs[0]

relatedObjects[1].rules[0].verbs[1]

relatedObjects[1].rules[0].verbs[2]

relatedObjects[1].rules[0].apiGroups[0]

relatedObjects[0].subjects[0]

relatedObjects[0].roleRef.name

Name: kubevuln-scheduler

ApiVersion: batch/v1

Kind: CronJob

Name: kubevuln-scheduler

Namespace: kubescape

Severity	Name	Docs	Assisted Remediation
Medium	Allow privilege escalation	C-0016