Kubescape Scan Report

Summary:

All	Failed	Skipped
26	16	2

Details

Severity	Control Name	Failed Resources	All Resources	Risk Score, %
Critical	Disable anonymous access to Kubelet service	0	0	0
Critical	Enforce Kubelet client TLS authentication	0	0	0
High	Applications credentials in configuration files	2	35	6
High	CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability	0	0	0
High	HostPath mount	0	18	0
High	List Kubernetes secrets	5	83	6
High	Privileged container	1	18	5
High	Writable hostPath mount	0	18	0
Medium	Access container service account	10	55	18
Medium	Administrative Roles	3	83	4
Medium	Audit logs enabled	1	1	100
Medium	CVE-2021-25741 - Using symlink for arbitrary host file system access.	0	0	0
Medium	Cluster internal networking	4	8	50
Medium	CoreDNS poisoning	4	83	5
Medium	Delete Kubernetes events	3	83	4
Medium	Exposed sensitive interfaces	0	5	0
Medium	Mount service principal	0	18	0
Medium	Prevent containers from allowing command execution	3	83	4
Medium	Roles with delete capabilities	4	83	5
Medium	Secret/etcd encryption enabled	1	1	100
Medium	Validate admission controller (mutating)	1	1	100
Low	Access Kubernetes dashboard	0	101	0
Low	Kubernetes CronJob	0	0	0
Low	PSP enabled	1	1	100
Low	SSH server running inside container	1	4	25
Low	Validate admission controller (validating)	6	6	100

Failed Resources:

Name: kubernetes-dashboard

ApiVersion: v1

Kind: Namespace

Name: kubernetes-dashboard

Namespace:

Severity	Name	Docs	Assisted Remediation
Medium	Cluster internal networking	C-0054

Name: users.iam.kubesphere.io

ApiVersion: admissionregistration.k8s.io/v1

Kind: ValidatingWebhookConfiguration

Name: users.iam.kubesphere.io

Namespace:

Severity	Name	Docs	Assisted Remediation
Low	Validate admission controller (validating)	C-0036

Name: resourcesquotas.quota.kubesphere.io

ApiVersion: admissionregistration.k8s.io/v1

Kind: ValidatingWebhookConfiguration

Name: resourcesquotas.quota.kubesphere.io

Namespace:

Severity	Name	Docs	Assisted Remediation
Low	Validate admission controller (validating)	C-0036

Name: kubesphere-monitoring-system

ApiVersion: v1

Kind: Namespace

Name: kubesphere-monitoring-system

Namespace:

Severity	Name	Docs	Assisted Remediation
Medium	Cluster internal networking	C-0054

Name: network.kubesphere.io

ApiVersion: admissionregistration.k8s.io/v1

Kind: ValidatingWebhookConfiguration

Name: network.kubesphere.io

Namespace:

Severity	Name	Docs	Assisted Remediation
Low	Validate admission controller (validating)	C-0036

Name: kubesphere-controls-system

ApiVersion: v1

Kind: Namespace

Name: kubesphere-controls-system

Namespace:

Severity	Name	Docs	Assisted Remediation
Medium	Cluster internal networking	C-0054

Name: rulegroups.alerting.kubesphere.io

ApiVersion: admissionregistration.k8s.io/v1

Kind: ValidatingWebhookConfiguration

Name: rulegroups.alerting.kubesphere.io

Namespace:

Severity	Name	Docs	Assisted Remediation
Low	Validate admission controller (validating)	C-0036

Name: storageclass-accessor.storage.kubesphere.io

ApiVersion: admissionregistration.k8s.io/v1

Kind: ValidatingWebhookConfiguration

Name: storageclass-accessor.storage.kubesphere.io

Namespace:

Severity	Name	Docs	Assisted Remediation
Low	Validate admission controller (validating)	C-0036

Name: kubesphere-monitoring-federated

ApiVersion: v1

Kind: Namespace

Name: kubesphere-monitoring-federated

Namespace:

Severity	Name	Docs	Assisted Remediation
Medium	Cluster internal networking	C-0054

Name: kubeadm:cluster-admins

ApiVersion: rbac.authorization.k8s.io

Kind: Group

Name: kubeadm:cluster-admins

Namespace:

Severity	Name	Docs	Assisted Remediation
Medium	Prevent containers from allowing command execution	C-0002	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
Medium	Delete Kubernetes events	C-0031	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
Medium	Roles with delete capabilities	C-0007	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
Medium	Administrative Roles	C-0035	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
Medium	CoreDNS poisoning	C-0037	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
High	List Kubernetes secrets	C-0015	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name

Name: cluster.kubesphere.io

ApiVersion: admissionregistration.k8s.io/v1

Kind: ValidatingWebhookConfiguration

Name: cluster.kubesphere.io

Namespace:

Severity	Name	Docs	Assisted Remediation
Low	Validate admission controller (validating)	C-0036

Name: rulegroups.alerting.kubesphere.io

ApiVersion: admissionregistration.k8s.io/v1

Kind: MutatingWebhookConfiguration

Name: rulegroups.alerting.kubesphere.io

Namespace:

Severity	Name	Docs	Assisted Remediation
Medium	Validate admission controller (mutating)	C-0039

Name: mysql

ApiVersion: apps/v1

Kind: Deployment

Name: mysql

Namespace: default

Severity	Name	Docs	Assisted Remediation
High	Applications credentials in configuration files	C-0012	spec.template.spec.containers[0].env[0].name spec.template.spec.containers[0].env[0].value

Severity

Name

Docs

Assisted Remediation

High

Applications credentials in configuration files

C-0012

spec.template.spec.containers[0].env[0].name

spec.template.spec.containers[0].env[0].value

Name: kali-pod

ApiVersion:

Kind: Pod

Name: kali-pod

Namespace: default

Severity	Name	Docs	Assisted Remediation
Low	SSH server running inside container	C-0042	metadata.labels

Name: kali-pod

ApiVersion: v1

Kind: Pod

Name: kali-pod

Namespace: default

Severity	Name	Docs	Assisted Remediation
High	Privileged container	C-0057	spec.containers[0].securityContext.privileged

Name: cluster-info

ApiVersion: v1

Kind: ConfigMap

Name: cluster-info

Namespace: kube-public

Severity	Name	Docs	Assisted Remediation
High	Applications credentials in configuration files	C-0012	data[kubeconfig]

Name: leader-election-controller

ApiVersion:

Kind: ServiceAccount

Name: leader-election-controller

Namespace: kube-system

Severity	Name	Docs	Assisted Remediation
Medium	Access container service account	C-0053

Name: legacy-service-account-token-cleaner

ApiVersion:

Kind: ServiceAccount

Name: legacy-service-account-token-cleaner

Namespace: kube-system

Severity	Name	Docs	Assisted Remediation
Medium	Roles with delete capabilities	C-0007	relatedObjects[1].rules[1].resources[0] relatedObjects[1].rules[1].verbs[0] relatedObjects[1].rules[1].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
Medium	Access container service account	C-0053

Severity

Name

Docs

Assisted Remediation

Medium

Roles with delete capabilities

C-0007

relatedObjects[1].rules[1].resources[0]

relatedObjects[1].rules[1].verbs[0]

relatedObjects[1].rules[1].apiGroups[0]

relatedObjects[0].subjects[0]

relatedObjects[0].roleRef.name

Medium

Access container service account

C-0053

Name: snapshot-controller

ApiVersion:

Kind: ServiceAccount

Name: snapshot-controller

Namespace: kube-system

Severity	Name	Docs	Assisted Remediation
Medium	Access container service account	C-0053

Name: kube-apiserver-minikube

ApiVersion: v1

Kind: Pod

Name: kube-apiserver-minikube

Namespace: kube-system

Severity	Name	Docs	Assisted Remediation
Medium	Secret/etcd encryption enabled	C-0066	spec.containers[0].command[28]=--encryption-provider-config=YOUR_VALUE
Low	PSP enabled	C-0068	spec.containers[0].command[5]
Medium	Audit logs enabled	C-0067	spec.containers[0].command

Name: validatingadmissionpolicy-status-controller

ApiVersion:

Kind: ServiceAccount

Name: validatingadmissionpolicy-status-controller

Namespace: kube-system

Severity	Name	Docs	Assisted Remediation
Medium	Access container service account	C-0053

Name: snapshot-controller

ApiVersion:

Kind: ServiceAccount

Name: snapshot-controller

Namespace: kube-system

Severity	Name	Docs	Assisted Remediation
Medium	Access container service account	C-0053

Name: kubernetes-dashboard-metrics-scraper

ApiVersion:

Kind: ServiceAccount

Name: kubernetes-dashboard-metrics-scraper

Namespace: kubernetes-dashboard

Severity	Name	Docs	Assisted Remediation
Medium	Access container service account	C-0053

Name: kubesphere-router-serviceaccount

ApiVersion:

Kind: ServiceAccount

Name: kubesphere-router-serviceaccount

Namespace: kubesphere-controls-system

Severity	Name	Docs	Assisted Remediation
Medium	CoreDNS poisoning	C-0037	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[3] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
High	List Kubernetes secrets	C-0015	relatedObjects[1].rules[0].resources[4] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].verbs[1] relatedObjects[1].rules[0].verbs[2] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
Medium	Access container service account	C-0053

Severity

Name

Docs

Assisted Remediation

Medium

CoreDNS poisoning

C-0037

relatedObjects[1].rules[0].resources[0]

relatedObjects[1].rules[0].verbs[3]

relatedObjects[1].rules[0].apiGroups[0]

relatedObjects[0].subjects[0]

relatedObjects[0].roleRef.name

High

List Kubernetes secrets

C-0015

relatedObjects[1].rules[0].resources[4]

relatedObjects[1].rules[0].verbs[0]

relatedObjects[1].rules[0].verbs[1]

relatedObjects[1].rules[0].verbs[2]

relatedObjects[1].rules[0].apiGroups[0]

relatedObjects[0].subjects[0]

relatedObjects[0].roleRef.name

Medium

Access container service account

C-0053

Name: kubesphere-router-serviceaccount

ApiVersion:

Kind: ServiceAccount

Name: kubesphere-router-serviceaccount

Namespace: kubesphere-controls-system

Severity	Name	Docs	Assisted Remediation
High	List Kubernetes secrets	C-0015	relatedObjects[1].rules[0].resources[2] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
Medium	Access container service account	C-0053

Severity

Name

Docs

Assisted Remediation

High

List Kubernetes secrets

C-0015

relatedObjects[1].rules[0].resources[2]

relatedObjects[1].rules[0].verbs[0]

relatedObjects[1].rules[0].apiGroups[0]

relatedObjects[0].subjects[0]

relatedObjects[0].roleRef.name

Medium

Access container service account

C-0053

Name: kubesphere-cluster-admin

ApiVersion:

Kind: ServiceAccount

Name: kubesphere-cluster-admin

Namespace: kubesphere-controls-system

Severity	Name	Docs	Assisted Remediation
Medium	Prevent containers from allowing command execution	C-0002	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
Medium	Delete Kubernetes events	C-0031	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
Medium	Roles with delete capabilities	C-0007	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
Medium	Administrative Roles	C-0035	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
Medium	CoreDNS poisoning	C-0037	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
High	List Kubernetes secrets	C-0015	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
Medium	Access container service account	C-0053

Name: kubesphere

ApiVersion:

Kind: ServiceAccount

Name: kubesphere

Namespace: kubesphere-system

Severity	Name	Docs	Assisted Remediation
Medium	Prevent containers from allowing command execution	C-0002	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
Medium	Delete Kubernetes events	C-0031	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
Medium	Roles with delete capabilities	C-0007	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
Medium	Administrative Roles	C-0035	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
Medium	CoreDNS poisoning	C-0037	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
High	List Kubernetes secrets	C-0015	relatedObjects[1].rules[0].resources[0] relatedObjects[1].rules[0].verbs[0] relatedObjects[1].rules[0].apiGroups[0] relatedObjects[0].subjects[0] relatedObjects[0].roleRef.name
Medium	Access container service account	C-0053