Jump to Content
Docs
Recipes
Home
GitHub
Sign Up
Home
GitHub
Sign Up
Docs
Recipes
Search
Getting started
Welcome to Kubescape User Hub 👋
Quick Start in 3 Steps
Installing Kubescape
Running cluster scan
How to use
Options
Usage and examples
Repository scanning
Installation of Kubescape in cluster
Kubescape Microservice API
Cluster vulnerability scanning
Visualizing Kubernetes RBAC
Exceptions
Integration with cloud providers
Host Scanner
Limitations
Controls
Frameworks
Controls
C-0001 - Forbidden Container Registries
C-0002 - Exec into container
C-0004 - Resources memory limit and request
C-0005 - Control plane hardening
C-0006 - Allowed hostPath
C-0007 - Data Destruction
C-0011 - Network policies
C-0009 - Resource policies
C-0012 - Applications credentials in configuration files
C-0013 - Non-root containers
C-0014 - Access Kubernetes dashboard
C-0015 - List Kubernetes secrets
C-0016 - Allow privilege escalation
C-0017 - Immutable container filesystem
C-0018 - Configured readiness probe
C-0019 - Bash/cmd inside container
C-0020 - Mount service principal
C-0028 - Dangerous capabilities
C-0021 - Exposed sensitive interfaces
C-0024 - Vulnerable application
C-0025 - Application exploit (RCE)
C-0026 - Kubernetes CronJob
C-0030 - Ingress and Egress blocked
C-0031 - Delete Kubernetes events
C-0033 - Access tiller endpoint
C-0034 - Automatic mapping of service account
C-0035 - Cluster-admin binding
C-0036 - Malicious admission controller (validating)
C-0037 - CoreDNS poisoning
C-0038 - Host PID/IPC privileges
C-0039 - Malicious admission controller (mutating)
C-0041 - HostNetwork access
C-0042 - SSH server running inside container
C-0044 - Container hostPort
C-0045 - Writable hostPath mount
C-0046 - Insecure capabilities
C-0047 - Exposed dashboard
C-0048 - HostPath mount
C-0049 - Network mapping
C-0050 - Resources CPU limit and request
C-0052 - Instance Metadata API
C-0064 - Image pull policy on latest image tag
C-0053 - Access container service account
C-0054 - Cluster internal networking
C-0055 - Linux hardening
C-0056 - Configured liveness probe
C-0057 - Privileged container
C-0058 - CVE-2021-25741 - Using symlink for arbitrary host file system access.
C-0059 - CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability
C-0071 - Validate Kubelet TLS configuration
C-0060 - Namespace without service accounts
C-0061 - Pods in default namespace
C-0062 - Sudo in container entrypoint
C-0063 - Portforwarding privileges
C-0065 - No impersonation
C-0066 - Secret/ETCD encryption enabled
C-0067 - Audit logs enabled
C-0068 - PSP enabled
C-0069 - Disable anonymous access to Kubelet service
C-0070 - Enforce Kubelet client TLS authentication
C-0073 - Naked PODs
C-0074 - Containers mounting Docker socket
C-0075 - Image pull policy on latest tag
C-0076 - Label usage for resources
C-0077 - K8s common labels usage
C-0078 - Images from allowed registry
C-0079 - CVE-2022-0185-linux-kernel-container-escape
C-0081 - CVE-2022-24348-argocddirtraversal
C-0082 - Read-only port enabled
C-0083 - Workloads with Critical vulnerabilities exposed to external traffic
C-0084 - Workloads with RCE vulnerabilities exposed to external traffic
C-0085 - Workloads with excessive amount of vulnerabilities
C-0086 - CVE-2022-0492-cgroups-container-escape
C-0087 - CVE-2022-23648-containerd-fs-escape
C-0088 - RBAC enabled
Configuration parameters
Parameter: cpu_limit_max
Parameter: cpu_limit_min
Parameter: cpu_request_max
Parameter: cpu_request_min
Parameter: imageRepositoryAllowList
Parameter: insecureCapabilities
Parameter: k8sRecommendedLabels
Parameter: listOfDangerousArtifcats
Parameter: max_critical_vulnerabilities
Parameter: max_high_vulnerabilities
Parameter: memory_limit_max
Parameter: memory_limit_min
Parameter: memory_request_max
Parameter: memory_request_min
Parameter: publicRegistries
Parameter: recommendedLabels
Parameter: sensitiveInterfaces
Parameter: sensitiveKeyNames
Parameter: sensitiveValues
Parameter: sensitiveValuesAllowed
Parameter: servicesNames
Parameter: untrustedRegistries
Customization
Statuses
Integrations
Jenkins CI/CD
CircleCI
GitLab CI/CD
GitHub Actions
Azure DevOps pipeline
Google Cloud Services integration
Amazon Web Services integration
Kubernetes Lens
Visual Studio Code
Prometheus Exporter
Kubescape SaaS
Authentication
Powered by
Frameworks
Suggest Edits
Updated 9 months ago
Did this page help you?
Yes
No
