Skip to content

Control library

Below is a list of all controls. Click a control to view its documentation:

  • C-0001: Forbidden Container Registries
  • C-0002: Prevent containers from allowing command execution
  • C-0004: Resources memory limit and request
  • C-0005: API server insecure port is enabled
  • C-0007: Roles with delete capabilities
  • C-0009: Resource limits
  • C-0012: Applications credentials in configuration files
  • C-0013: Non-root containers
  • C-0014: Access Kubernetes dashboard
  • C-0015: List Kubernetes secrets
  • C-0016: Allow privilege escalation
  • C-0017: Immutable container filesystem
  • C-0018: Configured readiness probe
  • C-0020: Mount service principal
  • C-0021: Exposed sensitive interfaces
  • C-0026: Kubernetes CronJob
  • C-0030: Ingress and Egress blocked
  • C-0031: Delete Kubernetes events
  • C-0034: Automatic mapping of service account
  • C-0035: Administrative Roles
  • C-0036: Validate admission controller (validating)
  • C-0037: CoreDNS poisoning
  • C-0038: Host PID/IPC privileges
  • C-0039: Validate admission controller (mutating)
  • C-0041: HostNetwork access
  • C-0042: SSH server running inside container
  • C-0044: Container hostPort
  • C-0045: Writable hostPath mount
  • C-0046: Insecure capabilities
  • C-0048: HostPath mount
  • C-0049: Network mapping
  • C-0050: Resources CPU limit and request
  • C-0052: Instance Metadata API
  • C-0053: Access container service account
  • C-0054: Cluster internal networking
  • C-0055: Linux hardening
  • C-0056: Configured liveness probe
  • C-0057: Privileged container
  • C-0058: CVE-2021-25741 - Using symlink for arbitrary host file system access.
  • C-0059: CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability
  • C-0061: Pods in default namespace
  • C-0062: Sudo in container entrypoint
  • C-0063: Portforwarding privileges
  • C-0065: No impersonation
  • C-0066: Secret/etcd encryption enabled
  • C-0067: Audit logs enabled
  • C-0068: PSP enabled
  • C-0069: Disable anonymous access to Kubelet service
  • C-0070: Enforce Kubelet client TLS authentication
  • C-0073: Naked pods
  • C-0074: Container runtime socket mounted
  • C-0075: Image pull policy on latest tag
  • C-0076: Label usage for resources
  • C-0077: K8s common labels usage
  • C-0078: Images from allowed registry
  • C-0079: CVE-2022-0185-linux-kernel-container-escape
  • C-0081: CVE-2022-24348-argocddirtraversal
  • C-0083: Workloads with Critical vulnerabilities exposed to external traffic
  • C-0084: Workloads with RCE vulnerabilities exposed to external traffic
  • C-0085: Workloads with excessive amount of vulnerabilities
  • C-0087: CVE-2022-23648-containerd-fs-escape
  • C-0088: RBAC enabled
  • C-0089: CVE-2022-3172-aggregated-API-server-redirect
  • C-0090: CVE-2022-39328-grafana-auth-bypass
  • C-0091: CVE-2022-47633-kyverno-signature-bypass
  • C-0092: Ensure that the API server pod specification file permissions are set to 600 or more restrictive
  • C-0093: Ensure that the API server pod specification file ownership is set to root:root
  • C-0094: Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive
  • C-0095: Ensure that the controller manager pod specification file ownership is set to root:root
  • C-0096: Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive
  • C-0097: Ensure that the scheduler pod specification file ownership is set to root:root
  • C-0098: Ensure that the etcd pod specification file permissions are set to 600 or more restrictive
  • C-0099: Ensure that the etcd pod specification file ownership is set to root:root
  • C-0100: Ensure that the Container Network Interface file permissions are set to 600 or more restrictive
  • C-0101: Ensure that the Container Network Interface file ownership is set to root:root
  • C-0102: Ensure that the etcd data directory permissions are set to 700 or more restrictive
  • C-0103: Ensure that the etcd data directory ownership is set to etcd:etcd
  • C-0104: Ensure that the admin.conf file permissions are set to 600
  • C-0105: Ensure that the admin.conf file ownership is set to root:root
  • C-0106: Ensure that the scheduler.conf file permissions are set to 600 or more restrictive
  • C-0107: Ensure that the scheduler.conf file ownership is set to root:root
  • C-0108: Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive
  • C-0109: Ensure that the controller-manager.conf file ownership is set to root:root
  • C-0110: Ensure that the Kubernetes PKI directory and file ownership is set to root:root
  • C-0111: Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive
  • C-0112: Ensure that the Kubernetes PKI key file permissions are set to 600
  • C-0113: Ensure that the API Server --anonymous-auth argument is set to false
  • C-0114: Ensure that the API Server --token-auth-file parameter is not set
  • C-0115: Ensure that the API Server --DenyServiceExternalIPs is not set
  • C-0116: Ensure that the API Server --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate
  • C-0117: Ensure that the API Server --kubelet-certificate-authority argument is set as appropriate
  • C-0118: Ensure that the API Server --authorization-mode argument is not set to AlwaysAllow
  • C-0119: Ensure that the API Server --authorization-mode argument includes Node
  • C-0120: Ensure that the API Server --authorization-mode argument includes RBAC
  • C-0121: Ensure that the admission control plugin EventRateLimit is set
  • C-0122: Ensure that the admission control plugin AlwaysAdmit is not set
  • C-0123: Ensure that the admission control plugin AlwaysPullImages is set
  • C-0124: Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
  • C-0125: Ensure that the admission control plugin ServiceAccount is set
  • C-0126: Ensure that the admission control plugin NamespaceLifecycle is set
  • C-0127: Ensure that the admission control plugin NodeRestriction is set
  • C-0128: Ensure that the API Server --secure-port argument is not set to 0
  • C-0129: Ensure that the API Server --profiling argument is set to false
  • C-0130: Ensure that the API Server --audit-log-path argument is set
  • C-0131: Ensure that the API Server --audit-log-maxage argument is set to 30 or as appropriate
  • C-0132: Ensure that the API Server --audit-log-maxbackup argument is set to 10 or as appropriate
  • C-0133: Ensure that the API Server --audit-log-maxsize argument is set to 100 or as appropriate
  • C-0134: Ensure that the API Server --request-timeout argument is set as appropriate
  • C-0135: Ensure that the API Server --service-account-lookup argument is set to true
  • C-0136: Ensure that the API Server --service-account-key-file argument is set as appropriate
  • C-0137: Ensure that the API Server --etcd-certfile and --etcd-keyfile arguments are set as appropriate
  • C-0138: Ensure that the API Server --tls-cert-file and --tls-private-key-file arguments are set as appropriate
  • C-0139: Ensure that the API Server --client-ca-file argument is set as appropriate
  • C-0140: Ensure that the API Server --etcd-cafile argument is set as appropriate
  • C-0141: Ensure that the API Server --encryption-provider-config argument is set as appropriate
  • C-0142: Ensure that encryption providers are appropriately configured
  • C-0143: Ensure that the API Server only makes use of Strong Cryptographic Ciphers
  • C-0144: Ensure that the Controller Manager --terminated-pod-gc-threshold argument is set as appropriate
  • C-0145: Ensure that the Controller Manager --profiling argument is set to false
  • C-0146: Ensure that the Controller Manager --use-service-account-credentials argument is set to true
  • C-0147: Ensure that the Controller Manager --service-account-private-key-file argument is set as appropriate
  • C-0148: Ensure that the Controller Manager --root-ca-file argument is set as appropriate
  • C-0149: Ensure that the Controller Manager RotateKubeletServerCertificate argument is set to true
  • C-0150: Ensure that the Controller Manager --bind-address argument is set to 127.0.0.1
  • C-0151: Ensure that the Scheduler --profiling argument is set to false
  • C-0152: Ensure that the Scheduler --bind-address argument is set to 127.0.0.1
  • C-0153: Ensure that the --cert-file and --key-file arguments are set as appropriate
  • C-0154: Ensure that the --client-cert-auth argument is set to true
  • C-0155: Ensure that the --auto-tls argument is not set to true
  • C-0156: Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate
  • C-0157: Ensure that the --peer-client-cert-auth argument is set to true
  • C-0158: Ensure that the --peer-auto-tls argument is not set to true
  • C-0159: Ensure that a unique Certificate Authority is used for etcd
  • C-0160: Ensure that a minimal audit policy is created
  • C-0161: Ensure that the audit policy covers key security concerns
  • C-0162: Ensure that the kubelet service file permissions are set to 600 or more restrictive
  • C-0163: Ensure that the kubelet service file ownership is set to root:root
  • C-0164: If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive
  • C-0165: If proxy kubeconfig file exists ensure ownership is set to root:root
  • C-0166: Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive
  • C-0167: Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root
  • C-0168: Ensure that the certificate authorities file permissions are set to 600 or more restrictive
  • C-0169: Ensure that the client certificate authorities file ownership is set to root:root
  • C-0170: If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive
  • C-0171: If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root
  • C-0172: Ensure that the --anonymous-auth argument is set to false
  • C-0173: Ensure that the --authorization-mode argument is not set to AlwaysAllow
  • C-0174: Ensure that the --client-ca-file argument is set as appropriate
  • C-0175: Verify that the --read-only-port argument is set to 0
  • C-0176: Ensure that the --streaming-connection-idle-timeout argument is not set to 0
  • C-0177: Ensure that the --protect-kernel-defaults argument is set to true
  • C-0178: Ensure that the --make-iptables-util-chains argument is set to true
  • C-0179: Ensure that the --hostname-override argument is not set
  • C-0180: Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture
  • C-0181: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate
  • C-0182: Ensure that the --rotate-certificates argument is not set to false
  • C-0183: Verify that the RotateKubeletServerCertificate argument is set to true
  • C-0184: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
  • C-0185: Ensure that the cluster-admin role is only used where required
  • C-0186: Minimize access to secrets
  • C-0187: Minimize wildcard use in Roles and ClusterRoles
  • C-0188: Minimize access to create pods
  • C-0189: Ensure that default service accounts are not actively used
  • C-0190: Ensure that Service Account Tokens are only mounted where necessary
  • C-0191: Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster
  • C-0192: Ensure that the cluster has at least one active policy control mechanism in place
  • C-0193: Minimize the admission of privileged containers
  • C-0194: Minimize the admission of containers wishing to share the host process ID namespace
  • C-0195: Minimize the admission of containers wishing to share the host IPC namespace
  • C-0196: Minimize the admission of containers wishing to share the host network namespace
  • C-0197: Minimize the admission of containers with allowPrivilegeEscalation
  • C-0198: Minimize the admission of root containers
  • C-0199: Minimize the admission of containers with the NET_RAW capability
  • C-0200: Minimize the admission of containers with added capabilities
  • C-0201: Minimize the admission of containers with capabilities assigned
  • C-0202: Minimize the admission of Windows HostProcess Containers
  • C-0203: Minimize the admission of HostPath volumes
  • C-0204: Minimize the admission of containers which use HostPorts
  • C-0205: Ensure that the CNI in use supports Network Policies
  • C-0206: Ensure that all Namespaces have Network Policies defined
  • C-0207: Prefer using secrets as files over secrets as environment variables
  • C-0208: Consider external secret storage
  • C-0209: Create administrative boundaries between resources using namespaces
  • C-0210: Ensure that the seccomp profile is set to docker/default in your pod definitions
  • C-0211: Apply Security Context to Your Pods and Containers
  • C-0212: The default namespace should not be used
  • C-0213: Minimize the admission of privileged containers
  • C-0214: Minimize the admission of containers wishing to share the host process ID namespace
  • C-0215: Minimize the admission of containers wishing to share the host IPC namespace
  • C-0216: Minimize the admission of containers wishing to share the host network namespace
  • C-0217: Minimize the admission of containers with allowPrivilegeEscalation
  • C-0218: Minimize the admission of root containers
  • C-0219: Minimize the admission of containers with added capabilities
  • C-0220: Minimize the admission of containers with capabilities assigned
  • C-0221: Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider
  • C-0222: Minimize user access to Amazon ECR
  • C-0223: Minimize cluster access to read-only for Amazon ECR
  • C-0225: Prefer using dedicated EKS Service Accounts
  • C-0226: Prefer using a container-optimized OS when possible
  • C-0227: Restrict Access to the Control Plane Endpoint
  • C-0228: Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled
  • C-0229: Ensure clusters are created with Private Nodes
  • C-0230: Ensure Network Policy is Enabled and set as appropriate
  • C-0231: Encrypt traffic to HTTPS load balancers with TLS certificates
  • C-0232: Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes or Upgrade to AWS CLI v1.16.156
  • C-0233: Consider Fargate for running untrusted workloads
  • C-0234: Consider external secret storage
  • C-0235: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive
  • C-0236: Verify image signature
  • C-0237: Check if signature exists
  • C-0238: Ensure that the kubeconfig file permissions are set to 644 or more restrictive
  • C-0239: Prefer using dedicated AKS Service Accounts
  • C-0240: Ensure Network Policy is Enabled and set as appropriate
  • C-0241: Use Azure RBAC for Kubernetes Authorization.
  • C-0242: Hostile multi-tenant workloads
  • C-0243: Ensure Image Vulnerability Scanning using Azure Defender image scanning or a third party provider
  • C-0244: Ensure Kubernetes Secrets are encrypted
  • C-0245: Encrypt traffic to HTTPS load balancers with TLS certificates
  • C-0246: Avoid use of system:masters group
  • C-0247: Restrict Access to the Control Plane Endpoint
  • C-0248: Ensure clusters are created with Private Nodes
  • C-0249
  • C-0250: Minimize cluster access to read-only for Azure Container Registry (ACR)
  • C-0251: Minimize user access to Azure Container Registry (ACR)
  • C-0252: Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled
  • C-0253: Deprecated Kubernetes image registry
  • C-0254: Enable audit Logs
  • C-0255: Workload with secret access
  • C-0256: External facing
  • C-0257: Workload with PVC access
  • C-0258: Workload with ConfigMap access
  • C-0259: Workload with credential access
  • C-0260: Missing network policy
  • C-0261: ServiceAccount token mounted
  • C-0262: Anonymous user has RoleBinding
  • C-0263: Ingress uses TLS
  • C-0264: PersistentVolume without encyption
  • C-0265: system:authenticated user has elevated roles
  • C-0266: Exposure to internet via Gateway API or Istio Ingress
  • C-0267: Workload with cluster takeover roles
  • C-0268: Ensure CPU requests are set
  • C-0269: Ensure memory requests are set
  • C-0270: Ensure CPU limits are set
  • C-0271: Ensure memory limits are set
  • C-0272: Workload with administrative roles
  • C-0273: Outdated Kubernetes version
  • C-0274: Verify Authenticated Service
  • C-0275: Minimize the admission of containers wishing to share the host process ID namespace
  • C-0276: Minimize the admission of containers wishing to share the host IPC namespace
  • C-0277: Ensure that the API Server only makes use of Strong Cryptographic Ciphers
  • C-0278: Minimize access to create persistent volumes
  • C-0279: Minimize access to the proxy sub-resource of nodes
  • C-0280: Minimize access to the approval sub-resource of certificatesigningrequests objects
  • C-0281: Minimize access to webhook configuration objects
  • C-0282: Minimize access to the service account token creation
  • C-0283: Ensure that the API Server --DenyServiceExternalIPs is set
  • C-0284: Ensure that the Kubelet is configured to limit pod PIDS