diff --git a/cloud/kubernetes/deployments/k8s-cpu-limits-not-set.yaml b/cloud/kubernetes/deployments/k8s-cpu-limits-not-set.yaml index 7daf55f8d78..3331f2e6079 100644 --- a/cloud/kubernetes/deployments/k8s-cpu-limits-not-set.yaml +++ b/cloud/kubernetes/deployments/k8s-cpu-limits-not-set.yaml @@ -11,7 +11,7 @@ info: Set CPU limits for all containers in Kubernetes Deployments to ensure fair CPU resource distribution and prevent performance issues. reference: - https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/ - tags: cloud,devops,kubernetes,k8s,devsecops,deployments + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-cpu-requests-not-set.yaml b/cloud/kubernetes/deployments/k8s-cpu-requests-not-set.yaml index 319677a5944..a01635ee996 100644 --- a/cloud/kubernetes/deployments/k8s-cpu-requests-not-set.yaml +++ b/cloud/kubernetes/deployments/k8s-cpu-requests-not-set.yaml @@ -11,7 +11,7 @@ info: Set CPU requests for all containers in Kubernetes Deplayments to ensure efficient scheduling and resource allocation. reference: - https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/ - tags: cloud,devops,kubernetes,k8s,devsecops,deployments + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-default-namespace-used.yaml b/cloud/kubernetes/deployments/k8s-default-namespace-used.yaml index 2a35ad6add7..84d60d93c72 100644 --- a/cloud/kubernetes/deployments/k8s-default-namespace-used.yaml +++ b/cloud/kubernetes/deployments/k8s-default-namespace-used.yaml @@ -11,7 +11,7 @@ info: Avoid using the default namespace for Kubernetes Deployments. Create and specify dedicated namespaces tailored to specific applications or teams to enhance security and manage resources effectively. reference: - https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - tags: cloud,devops,kubernetes,k8s,devsecops,namespaces + tags: cloud,devops,kubernetes,k8s,devsecops,namespaces,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-host-ports-check.yaml b/cloud/kubernetes/deployments/k8s-host-ports-check.yaml index 0d8fb6bd3bd..d712e1f0972 100644 --- a/cloud/kubernetes/deployments/k8s-host-ports-check.yaml +++ b/cloud/kubernetes/deployments/k8s-host-ports-check.yaml @@ -11,7 +11,7 @@ info: Avoid using host ports in Kubernetes Deployments. Use services or other networking mechanisms to expose container applications. reference: - https://kubernetes.io/docs/concepts/services-networking/service/ - tags: cloud,devops,kubernetes,security,devsecops,deployments + tags: cloud,devops,kubernetes,devsecops,deployments,k8s,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-image-pull-policy-always.yaml b/cloud/kubernetes/deployments/k8s-image-pull-policy-always.yaml index 17c192b3af9..86f28924842 100644 --- a/cloud/kubernetes/deployments/k8s-image-pull-policy-always.yaml +++ b/cloud/kubernetes/deployments/k8s-image-pull-policy-always.yaml @@ -10,7 +10,7 @@ info: remediation: Update the image pull policy in Kubernetes Deployments to 'Always' to ensure that the latest container images are always used. reference: - https://kubernetes.io/docs/concepts/containers/images/#updating-images - tags: cloud,devops,kubernetes,k8s,devsecops,deployments,images,docker + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,images,docker,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-image-tag-not-fixed.yaml b/cloud/kubernetes/deployments/k8s-image-tag-not-fixed.yaml index 989b5b27598..9211eecb08f 100644 --- a/cloud/kubernetes/deployments/k8s-image-tag-not-fixed.yaml +++ b/cloud/kubernetes/deployments/k8s-image-tag-not-fixed.yaml @@ -11,7 +11,7 @@ info: Use specific image tags for all containers in Kubernetes Deployments to ensure reproducibility and stability of application deployments. reference: - https://kubernetes.io/docs/concepts/containers/images/ - tags: cloud,devops,kubernetes,k8s,devsecops,deployments + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-liveness-probe-not-configured.yaml b/cloud/kubernetes/deployments/k8s-liveness-probe-not-configured.yaml index dc4f6125532..2039d0acf31 100644 --- a/cloud/kubernetes/deployments/k8s-liveness-probe-not-configured.yaml +++ b/cloud/kubernetes/deployments/k8s-liveness-probe-not-configured.yaml @@ -10,7 +10,7 @@ info: remediation: Configure liveness probes for all containers in Kubernetes Deployments to ensure proper health checks and automatic restarts of failing containers reference: - https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ - tags: cloud,devops,kubernetes,k8s,devsecops,deployments + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-memory-limits-not-set.yaml b/cloud/kubernetes/deployments/k8s-memory-limits-not-set.yaml index c8d50de6d9d..b528dc243b4 100644 --- a/cloud/kubernetes/deployments/k8s-memory-limits-not-set.yaml +++ b/cloud/kubernetes/deployments/k8s-memory-limits-not-set.yaml @@ -10,7 +10,7 @@ info: remediation: Set memory limits for all containers in Kubernetes Deployments to ensure resource management and application stability reference: - https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/ - tags: cloud,devops,kubernetes,k8s,devsecops,deployments + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-memory-requests-not-set.yaml b/cloud/kubernetes/deployments/k8s-memory-requests-not-set.yaml index 2f83e316981..e4913e60959 100644 --- a/cloud/kubernetes/deployments/k8s-memory-requests-not-set.yaml +++ b/cloud/kubernetes/deployments/k8s-memory-requests-not-set.yaml @@ -10,7 +10,7 @@ info: remediation: Set memory requests for all containers in Kubernetes Deployments to ensure efficient pod scheduling and node resource utilization. reference: - https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/ - tags: cloud,devops,kubernetes,k8s,devsecops,deployments + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-minimize-added-capabilities.yaml b/cloud/kubernetes/deployments/k8s-minimize-added-capabilities.yaml index 6da198f43a3..991f396b89c 100644 --- a/cloud/kubernetes/deployments/k8s-minimize-added-capabilities.yaml +++ b/cloud/kubernetes/deployments/k8s-minimize-added-capabilities.yaml @@ -11,7 +11,7 @@ info: Ensure that no unnecessary capabilities are added to containers within Kubernetes Deployments. Use security contexts to define the minimum necessary privileges. reference: - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - tags: cloud,devops,kubernetes,k8s,devsecops,deployments + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-privileged-container.yaml b/cloud/kubernetes/deployments/k8s-privileged-container.yaml index b37e429c230..d8310da8389 100644 --- a/cloud/kubernetes/deployments/k8s-privileged-container.yaml +++ b/cloud/kubernetes/deployments/k8s-privileged-container.yaml @@ -11,7 +11,7 @@ info: Ensure that no container in Kubernetes Deployments runs in privileged mode, as the root user, or with privilege escalation enabled. Modify the security context for each container to set `privileged: false`, `runAsUser` appropriately, and `allowPrivilegeEscalation: false`. reference: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged - tags: cloud,devops,kubernetes,k8s,devsecops,deployments + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-readiness-probe-not-set.yaml b/cloud/kubernetes/deployments/k8s-readiness-probe-not-set.yaml index de141bb4dcf..b29761b8a32 100644 --- a/cloud/kubernetes/deployments/k8s-readiness-probe-not-set.yaml +++ b/cloud/kubernetes/deployments/k8s-readiness-probe-not-set.yaml @@ -11,7 +11,7 @@ info: Define readiness probes in all containers within your Kubernetes Deployments to ensure that traffic is only routed to containers that are fully prepared to handle it. reference: - https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ - tags: cloud,devops,kubernetes,k8s,devsecops,deployments + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-root-container-admission.yaml b/cloud/kubernetes/deployments/k8s-root-container-admission.yaml index 6dedcd1369a..dd59064962e 100644 --- a/cloud/kubernetes/deployments/k8s-root-container-admission.yaml +++ b/cloud/kubernetes/deployments/k8s-root-container-admission.yaml @@ -11,7 +11,7 @@ info: Configure security contexts for all pods to run containers with a non-root user. Use Pod Security Policies or OPA/Gatekeeper to enforce these configurations. reference: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups - tags: cloud,devops,kubernetes,devsecops,deployments,k8s + tags: cloud,devops,kubernetes,devsecops,deployments,k8s,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/deployments/k8s-seccomp-profile-set.yaml b/cloud/kubernetes/deployments/k8s-seccomp-profile-set.yaml index b59ecb43f62..1a331a788a8 100644 --- a/cloud/kubernetes/deployments/k8s-seccomp-profile-set.yaml +++ b/cloud/kubernetes/deployments/k8s-seccomp-profile-set.yaml @@ -11,7 +11,7 @@ info: Ensure that all containers in Kubernetes Deployments have a seccomp profile of docker/default or runtime/default set in their security contexts. reference: - https://kubernetes.io/docs/tutorials/clusters/seccomp/ - tags: cloud,devops,kubernetes,security,devsecops,containers + tags: cloud,devops,kubernetes,devsecops,containers,k8s,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/kubernetes-code-env.yaml b/cloud/kubernetes/kubernetes-code-env.yaml index ffcff48ad96..8c5a34b874f 100644 --- a/cloud/kubernetes/kubernetes-code-env.yaml +++ b/cloud/kubernetes/kubernetes-code-env.yaml @@ -7,7 +7,7 @@ info: Checks if kubernetes CLI is set up and all necessary tools are installed on the environment. reference: - https://kubernetes.io/ - tags: cloud,devops,kubernetes,k8s,kubernetes-cloud-config + tags: cloud,devops,kubernetes,k8s,k8s-cluster-security self-contained: true code: diff --git a/cloud/kubernetes/network-policies/k8s-netpol-egress-rules.yaml b/cloud/kubernetes/network-policies/k8s-netpol-egress-rules.yaml index f08f42535b1..c053894af20 100644 --- a/cloud/kubernetes/network-policies/k8s-netpol-egress-rules.yaml +++ b/cloud/kubernetes/network-policies/k8s-netpol-egress-rules.yaml @@ -10,7 +10,7 @@ info: remediation: Define egress rules in all network policies to control outbound traffic from your Kubernetes pods, thereby reducing security risks. reference: - https://kubernetes.io/docs/concepts/services-networking/network-policies/ - tags: cloud,devops,kubernetes,security,devsecops,network + tags: cloud,devops,kubernetes,devsecops,k8s,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/network-policies/k8s-netpol-namespace.yaml b/cloud/kubernetes/network-policies/k8s-netpol-namespace.yaml index 2051aae3803..349b01076e0 100644 --- a/cloud/kubernetes/network-policies/k8s-netpol-namespace.yaml +++ b/cloud/kubernetes/network-policies/k8s-netpol-namespace.yaml @@ -11,7 +11,7 @@ info: Ensure that all Network Policies explicitly define a namespace to maintain proper network isolation and security boundaries. reference: - https://kubernetes.io/docs/concepts/services-networking/network-policies/ - tags: cloud,devops,kubernetes,security,devsecops,networking + tags: cloud,devops,kubernetes,devsecops,k8s,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/network-policies/k8s-network-ingress-rules.yaml b/cloud/kubernetes/network-policies/k8s-network-ingress-rules.yaml index f0d245847d0..954d2348aed 100644 --- a/cloud/kubernetes/network-policies/k8s-network-ingress-rules.yaml +++ b/cloud/kubernetes/network-policies/k8s-network-ingress-rules.yaml @@ -11,7 +11,7 @@ info: Define specific ingress rules in all network policies to control the flow of inbound traffic to pods, ensuring only authorized traffic can access cluster resources. reference: - https://kubernetes.io/docs/concepts/services-networking/network-policies/ - tags: cloud,devops,kubernetes,security,networking + tags: cloud,devops,kubernetes,security,k8s,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/pods/k8s-allow-privilege-escalation-set.yaml b/cloud/kubernetes/pods/k8s-allow-privilege-escalation-set.yaml index aaef1e10e33..b9e717d3922 100644 --- a/cloud/kubernetes/pods/k8s-allow-privilege-escalation-set.yaml +++ b/cloud/kubernetes/pods/k8s-allow-privilege-escalation-set.yaml @@ -10,7 +10,7 @@ info: remediation: Ensure that the allowPrivilegeEscalation flag is set to false in all container configurations to minimize security risks reference: - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - tags: cloud,devops,kubernetes,security,devsecops,containers + tags: cloud,devops,kubernetes,security,devsecops,containers,k8s,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/pods/k8s-containers-share-host-ipc.yaml b/cloud/kubernetes/pods/k8s-containers-share-host-ipc.yaml index ead59c806a0..b449495d9f4 100644 --- a/cloud/kubernetes/pods/k8s-containers-share-host-ipc.yaml +++ b/cloud/kubernetes/pods/k8s-containers-share-host-ipc.yaml @@ -10,7 +10,7 @@ info: remediation: Ensure that no container in Kubernetes Pods is set to share the host IPC namespace. Configure 'spec.hostIPC' to 'false' for all pods to isolate IPC namespaces. reference: - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - tags: cloud,devops,kubernetes,k8s,devsecops,pods + tags: cloud,devops,kubernetes,k8s,devsecops,pods,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/pods/k8s-host-network-namespace-shared.yaml b/cloud/kubernetes/pods/k8s-host-network-namespace-shared.yaml index a98680cc000..2bc9bd222d8 100644 --- a/cloud/kubernetes/pods/k8s-host-network-namespace-shared.yaml +++ b/cloud/kubernetes/pods/k8s-host-network-namespace-shared.yaml @@ -11,7 +11,7 @@ info: Ensure that the 'hostNetwork' field is set to false in all Kubernetes Pods to prevent containers from sharing the host's network namespace. reference: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces - tags: cloud,devops,kubernetes,k8s,devsecops,namespace + tags: cloud,devops,kubernetes,k8s,devsecops,namespace,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/pods/k8s-host-pid-namespace-sharing.yaml b/cloud/kubernetes/pods/k8s-host-pid-namespace-sharing.yaml index e9386f6075d..55296d3fc84 100644 --- a/cloud/kubernetes/pods/k8s-host-pid-namespace-sharing.yaml +++ b/cloud/kubernetes/pods/k8s-host-pid-namespace-sharing.yaml @@ -11,7 +11,7 @@ info: Ensure that the 'hostPID' field is set to 'false' in Kubernetes Pod specifications to prevent containers from sharing the host's PID namespace. reference: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces - tags: cloud,devops,kubernetes,k8s,devsecops,pods + tags: cloud,devops,kubernetes,k8s,devsecops,pods,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/pods/k8s-readonly-fs.yaml b/cloud/kubernetes/pods/k8s-readonly-fs.yaml index 520aeb5a846..24312b1075b 100644 --- a/cloud/kubernetes/pods/k8s-readonly-fs.yaml +++ b/cloud/kubernetes/pods/k8s-readonly-fs.yaml @@ -10,7 +10,7 @@ info: remediation: Configure containers to use read-only filesystems where possible to enhance security and minimize risk of unauthorized data modification reference: - https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation - tags: cloud,devops,kubernetes,k8s,devsecops,pods + tags: cloud,devops,kubernetes,k8s,devsecops,pods,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/pods/k8s-readonly-rootfs.yaml b/cloud/kubernetes/pods/k8s-readonly-rootfs.yaml index 8f59478b73d..3bbef35dbed 100644 --- a/cloud/kubernetes/pods/k8s-readonly-rootfs.yaml +++ b/cloud/kubernetes/pods/k8s-readonly-rootfs.yaml @@ -11,7 +11,7 @@ info: Configure all pods and containers to have their root filesystem set to read-only mode. This can be achieved by setting the securityContext.readOnlyRootFilesystem parameter to true in the pod or container configuration. reference: - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems - tags: cloud,devops,kubernetes,security,devsecops,pods,k8s + tags: cloud,devops,kubernetes,devsecops,pods,k8s,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/pods/k8s-root-user-id.yaml b/cloud/kubernetes/pods/k8s-root-user-id.yaml index e2cd9a2db32..666e61a8807 100644 --- a/cloud/kubernetes/pods/k8s-root-user-id.yaml +++ b/cloud/kubernetes/pods/k8s-root-user-id.yaml @@ -10,7 +10,7 @@ info: remediation: Configure pods to run with a non-root user ID by setting the 'securityContext' for each container and the pod itself. reference: - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - tags: cloud,devops,kubernetes,security,devsecops,pods + tags: cloud,devops,kubernetes,devsecops,pods,k8s,k8s-cluster-security flow: | code(1); diff --git a/cloud/kubernetes/security-compliance/k8s-audit-log-path-set.yaml b/cloud/kubernetes/security-compliance/k8s-audit-log-path-set.yaml index d705b4bd376..9b0af09a507 100644 --- a/cloud/kubernetes/security-compliance/k8s-audit-log-path-set.yaml +++ b/cloud/kubernetes/security-compliance/k8s-audit-log-path-set.yaml @@ -11,7 +11,7 @@ info: Configure the Kubernetes API server to include the audit-log-path argument pointing to a secure, writeable directory where audit logs will be stored. Ensure that this directory is properly secured and regularly monitored. reference: - https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ - tags: cloud,devops,kubernetes,security,devsecops,api-server + tags: cloud,devops,kubernetes,devsecops,api-server,k8s,k8s-cluster-security variables: argument: "audit-log-path" diff --git a/cloud/kubernetes/security-compliance/k8s-enc-prov-conf.yaml b/cloud/kubernetes/security-compliance/k8s-enc-prov-conf.yaml index b755b9ff12c..ac271d1834f 100644 --- a/cloud/kubernetes/security-compliance/k8s-enc-prov-conf.yaml +++ b/cloud/kubernetes/security-compliance/k8s-enc-prov-conf.yaml @@ -11,7 +11,7 @@ info: Ensure that the encryption provider configuration file is set up correctly and referenced properly in the API server configuration. Encryption should be enabled and configured according to the security best practices. reference: - https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ - tags: cloud,devops,kubernetes,security,devsecops,encryption + tags: cloud,devops,kubernetes,devsecops,encryption,k8s,k8s-cluster-security variables: argument: "encryption-provider-config" diff --git a/cloud/kubernetes/security-compliance/k8s-etcd-cafile-set.yaml b/cloud/kubernetes/security-compliance/k8s-etcd-cafile-set.yaml index 6607c49e478..1c8a9f4cd51 100644 --- a/cloud/kubernetes/security-compliance/k8s-etcd-cafile-set.yaml +++ b/cloud/kubernetes/security-compliance/k8s-etcd-cafile-set.yaml @@ -11,7 +11,7 @@ info: Configure etcd to use an etcd-cafile argument that points to a valid CA certificate bundle. This setting should be part of the etcd startup arguments or in its configuration file. reference: - https://etcd.io/docs/v3.5/op-guide/security/ - tags: cloud,devops,kubernetes,security,devsecops,etcd + tags: cloud,devops,kubernetes,devsecops,etcd,k8s,k8s-cluster-security variables: argument: "etcd-cafile" diff --git a/cloud/kubernetes/security-compliance/k8s-etcd-files-set.yaml b/cloud/kubernetes/security-compliance/k8s-etcd-files-set.yaml index 7a6160556fd..fa66bcccb10 100644 --- a/cloud/kubernetes/security-compliance/k8s-etcd-files-set.yaml +++ b/cloud/kubernetes/security-compliance/k8s-etcd-files-set.yaml @@ -11,7 +11,7 @@ info: Configure the etcd server to use etcd-certfile and etcd-keyfile arguments that point to valid certificate and key files respectively. This ensures that communications to and from the etcd server are properly encrypted. reference: - https://etcd.io/docs/v3.4.0/op-guide/security/ - tags: cloud,devops,kubernetes,security,devsecops,etcd + tags: cloud,devops,kubernetes,devsecops,etcd,k8s,k8s-cluster-security variables: argument: "etcd-certfile or etcd-keyfile" diff --git a/cloud/kubernetes/security-compliance/k8s-ns-usage-check.yaml b/cloud/kubernetes/security-compliance/k8s-ns-usage-check.yaml index a16b69c46b7..8a8e1b3ccd6 100644 --- a/cloud/kubernetes/security-compliance/k8s-ns-usage-check.yaml +++ b/cloud/kubernetes/security-compliance/k8s-ns-usage-check.yaml @@ -11,7 +11,7 @@ info: Implement and use namespaces to organize resources within the Kubernetes cluster effectively. Define access controls and resource quotas on a per-namespace basis. reference: - https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - tags: cloud,devops,kubernetes,security,devsecops,namespaces + tags: cloud,devops,kubernetes,devsecops,namespaces,k8s,k8s-cluster-security variables: argument: "namespaces" diff --git a/cloud/kubernetes/security-compliance/k8s-svc-acct-issuer-set.yaml b/cloud/kubernetes/security-compliance/k8s-svc-acct-issuer-set.yaml index ac65cadc8e8..9086abfb7c8 100644 --- a/cloud/kubernetes/security-compliance/k8s-svc-acct-issuer-set.yaml +++ b/cloud/kubernetes/security-compliance/k8s-svc-acct-issuer-set.yaml @@ -11,7 +11,7 @@ info: Set the service-account-issuer argument to a valid issuer URL in the API server's startup arguments or configuration file. This ensures the tokens issued are trusted across services. reference: - https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ - tags: cloud,devops,kubernetes,security,devsecops,api-server + tags: cloud,devops,kubernetes,devsecops,api-server,k8s,k8s-cluster-security variables: argument: "service-account-issuer" diff --git a/cloud/kubernetes/security-compliance/k8s-svc-acct-key.yaml b/cloud/kubernetes/security-compliance/k8s-svc-acct-key.yaml index 297ea441091..25e93ee8409 100644 --- a/cloud/kubernetes/security-compliance/k8s-svc-acct-key.yaml +++ b/cloud/kubernetes/security-compliance/k8s-svc-acct-key.yaml @@ -11,7 +11,7 @@ info: Configure the API server to use a service-account-key-file that points to a valid private key used to sign service account tokens. This setting should be part of the API server startup arguments or in its configuration file. reference: - https://kubernetes.io/docs/admin/kube-apiserver/ - tags: cloud,devops,kubernetes,security,devsecops,api-server + tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security variables: argument: "service-account-key-file" diff --git a/cloud/kubernetes/security-compliance/k8s-svc-acct-lookup-set.yaml b/cloud/kubernetes/security-compliance/k8s-svc-acct-lookup-set.yaml index 5168e9aaf89..e628964fbf6 100644 --- a/cloud/kubernetes/security-compliance/k8s-svc-acct-lookup-set.yaml +++ b/cloud/kubernetes/security-compliance/k8s-svc-acct-lookup-set.yaml @@ -11,7 +11,7 @@ info: Set the service-account-lookup argument to true in the API server's startup arguments or configuration file to ensure proper verification of service accounts. reference: - https://kubernetes.io/docs/admin/kube-apiserver/ - tags: cloud,devops,kubernetes,security,devsecops,api-server + tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security variables: argument: "service-account-lookup=true" diff --git a/cloud/kubernetes/security-compliance/k8s-tls-config-set.yaml b/cloud/kubernetes/security-compliance/k8s-tls-config-set.yaml index 30b5c65b75a..b55ff705c95 100644 --- a/cloud/kubernetes/security-compliance/k8s-tls-config-set.yaml +++ b/cloud/kubernetes/security-compliance/k8s-tls-config-set.yaml @@ -11,7 +11,7 @@ info: Configure the API server to use tls-cert-file and tls-private-key-file that point to a valid certificate and key file respectively. This setting should be part of the API server startup arguments or in its configuration file. reference: - https://kubernetes.io/docs/admin/kube-apiserver/ - tags: cloud,devops,kubernetes,security,devsecops,api-server + tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security variables: argument: "tls-cert-file or tls-private-key-file" diff --git a/profiles/k8s-cluster-security.yml b/profiles/k8s-cluster-security.yml new file mode 100644 index 00000000000..bca020c7860 --- /dev/null +++ b/profiles/k8s-cluster-security.yml @@ -0,0 +1,6 @@ +# Nuclei scan profile for scanning aws ACLs + +code: true # enable code templates + +tags: + - k8s-cluster-security # filter templates with "k8s-cluster-security" tags \ No newline at end of file