k8s 漏洞列表

A security issue was discovered in ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller

A security issue was discovered in ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller

Checks for missing CPU limits in Kubernetes Deployments, which can lead to excessive CPU usage and affect other applications

Checks for missing CPU requests in Kubernetes Deployments, which can lead to inadequate scheduling and resource allocation.

Checks if Kubernetes Deployments are using the default namespace, which can lead to security risks and mismanagement issues.

Checks Kubernetes Deployments to ensure they are not configured to use host ports, which can expose the host to potential security risks.

Ensures that Kubernetes deployments have the image pull policy set to 'Always', which guarantees the most up-to-date version of the image is used.

Checks if Kubernetes Deployment container images are using tags other than 'latest' or blank, which can lead to unstable and unpredictable deployments.

Checks for missing liveness probes in Kubernetes Deployments, which are essential for managing container health and automatic recovery

Checks for missing memory limits in Kubernetes Deployments, which can lead to resource contention and instability

Checks for missing memory requests in Kubernetes Deployments, which can lead to inefficient scheduling and potential node resource exhaustion.

Checks for containers running in privileged mode within Kubernetes Deployments, and now also checks for user privileges and privilege escalation settings.

Checks for missing readiness probes in Kubernetes Deployments, which can lead to traffic being sent to unready containers

Checks if any Kubernetes Deployments admit containers that run as root, which can pose a significant security risk.

Checks if the seccomp profile is set to docker/default or runtime/default in Kubernetes Deployments.

Checks if any network policies are defined across all namespaces in the Kubernetes cluster.

Checks for network policies in Kubernetes that do not define egress rules, which can leave the network exposed to external threats.

Checks for Kubernetes Network Policies that do not specify a namespace, which can lead to potential misconfigurations and security issues.

Checks if Kubernetes network policies define specific ingress rules, which can help secure network communication within the cluster.

Checks for containers running with the allowPrivilegeEscalation flag enabled, which can increase security risks by allowing privileges to be escalated

Checks if any containers in Kubernetes Pods are configured to share the host's IPC namespace, which can lead to security risks.

Checks if containers in Kubernetes pods share the host's process ID namespace, which can pose a security risk.

Checks for containers that do not use a read-only filesystem, which can prevent malicious write operations at runtime

Checks for pods and containers running with a read-only root filesystem to prevent modifications to the filesystem, enhancing security.

Checks for pods running with the user ID of the root user, increasing security risks.

Checks for roles that have permissions to create pods.

Checks if encryption providers are appropriately configured in Kubernetes, ensuring that data at rest is secured.

Checks if the etcd-cafile argument is properly set in the etcd configuration, crucial for secure client connections to etcd.

Checks if the etcd-certfile and etcd-keyfile arguments are properly set in the etcd server configuration, crucial for secure communication.

Checks if the service-account-issuer argument is correctly configured in the API server, critical for issuing valid service tokens.

Checks if the service-account-key-file argument is properly set in the API server configuration, which is critical for validating service account tokens.

Checks if the service-account-lookup argument is set to true in the API server configuration, which is essential for verifying service accounts against the stored secrets.

Checks if the tls-cert-file and tls-private-key-file arguments are properly set in the API server configuration, which is essential for secure communication.