docs/examples/json-report-sample.json
|
{
"metadata": { "aks": { "resourceGroup": null, "clusterName": null, "subscriptionId": null }, "score": 37.0, "clusterName": "aks-0402-dev-uks", "generatedAt": "2025-04-22T10:53:00Z", "kubernetesVersion": "v1.30.11" }, "checks": { "WRK008": { "Total": 0, "URL": "https://kubernetes.io/docs/concepts/workloads/controllers/deployment/", "Name": "Deployment Selector Without Matching Pods", "Description": "Detects Deployments whose spec.selector does not match any existing Pods. This results in 0 replicas running.", "Recommendation": "Ensure that pod labels match the Deployment selector.", "Weight": 2, "ID": "WRK008", "Message": "No issues detected for Deployment Selector Without Matching Pods.", "ResourceKind": "Deployment", "Section": "Workloads", "Category": "Workloads", "Severity": "Medium", "Items": [] }, "SEC008": { "Total": 20, "URL": "https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables", "Name": "Secrets in Environment Variables", "Description": "Detects secrets injected into pods via environment variables using env.valueFrom.secretKeyRef. This makes secrets easier to leak through logs or /proc inspection.\n", "Recommendation": "Avoid exposing secrets in environment variables. Mount secrets as volumes instead.", "Weight": 4, "ID": "SEC008", "ResourceKind": "Pod", "Section": "Security", "Category": "Pod Security", "Severity": "High", "Items": [ { "Namespace": "argocd", "Pod": "pod/argocd-application-controller-0", "EnvVar": "env: REDIS_PASSWORD", "Issue": "Secret argocd-redis exposed via env var in container argocd-application-controller" }, { "Namespace": "argocd", "Pod": "pod/argocd-redis-ha-haproxy-fb657456c-kjbkq", "EnvVar": "env: AUTH", "Issue": "Secret argocd-redis exposed via env var in container haproxy" }, { "Namespace": "argocd", "Pod": "pod/argocd-redis-ha-haproxy-fb657456c-kjlpf", "EnvVar": "env: AUTH", "Issue": "Secret argocd-redis exposed via env var in container haproxy" }, { "Namespace": "argocd", "Pod": "pod/argocd-redis-ha-haproxy-fb657456c-tnjmb", "EnvVar": "env: AUTH", "Issue": "Secret argocd-redis exposed via env var in container haproxy" }, { "Namespace": "argocd", "Pod": "pod/argocd-redis-ha-server-0", "EnvVar": "env: AUTH", "Issue": "Secret argocd-redis exposed via env var in container redis" }, { "Namespace": "argocd", "Pod": "pod/argocd-redis-ha-server-0", "EnvVar": "env: AUTH", "Issue": "Secret argocd-redis exposed via env var in container sentinel" }, { "Namespace": "argocd", "Pod": "pod/argocd-redis-ha-server-0", "EnvVar": "env: AUTH", "Issue": "Secret argocd-redis exposed via env var in container split-brain-fix" }, { "Namespace": "argocd", "Pod": "pod/argocd-redis-ha-server-0", "EnvVar": "env: AUTH", "Issue": "Secret argocd-redis exposed via env var in container config-init" }, { "Namespace": "argocd", "Pod": "pod/argocd-redis-ha-server-1", "EnvVar": "env: AUTH", "Issue": "Secret argocd-redis exposed via env var in container redis" }, { "Namespace": "argocd", "Pod": "pod/argocd-redis-ha-server-1", "EnvVar": "env: AUTH", "Issue": "Secret argocd-redis exposed via env var in container sentinel" }, { "Namespace": "argocd", "Pod": "pod/argocd-redis-ha-server-1", "EnvVar": "env: AUTH", "Issue": "Secret argocd-redis exposed via env var in container split-brain-fix" }, { "Namespace": "argocd", "Pod": "pod/argocd-redis-ha-server-1", "EnvVar": "env: AUTH", "Issue": "Secret argocd-redis exposed via env var in container config-init" }, { "Namespace": "argocd", "Pod": "pod/argocd-redis-ha-server-2", "EnvVar": "env: AUTH", "Issue": "Secret argocd-redis exposed via env var in container redis" }, { "Namespace": "argocd", "Pod": "pod/argocd-redis-ha-server-2", "EnvVar": "env: AUTH", "Issue": "Secret argocd-redis exposed via env var in container sentinel" }, { "Namespace": "argocd", "Pod": "pod/argocd-redis-ha-server-2", "EnvVar": "env: AUTH", "Issue": "Secret argocd-redis exposed via env var in container split-brain-fix" }, { "Namespace": "argocd", "Pod": "pod/argocd-redis-ha-server-2", "EnvVar": "env: AUTH", "Issue": "Secret argocd-redis exposed via env var in container config-init" }, { "Namespace": "argocd", "Pod": "pod/argocd-repo-server-8568fc89b5-sx6ks", "EnvVar": "env: REDIS_PASSWORD", "Issue": "Secret argocd-redis exposed via env var in container argocd-repo-server" }, { "Namespace": "argocd", "Pod": "pod/argocd-repo-server-8568fc89b5-xrzzn", "EnvVar": "env: REDIS_PASSWORD", "Issue": "Secret argocd-redis exposed via env var in container argocd-repo-server" }, { "Namespace": "argocd", "Pod": "pod/argocd-server-54f9645b87-k4rz8", "EnvVar": "env: REDIS_PASSWORD", "Issue": "Secret argocd-redis exposed via env var in container argocd-server" }, { "Namespace": "argocd", "Pod": "pod/argocd-server-54f9645b87-wwzgz", "EnvVar": "env: REDIS_PASSWORD", "Issue": "Secret argocd-redis exposed via env var in container argocd-server" } ] }, "AKSBP010": { "ID": "AKSBP010", "Severity": "Medium", "URL": "https://learn.microsoft.com/azure/aks/faq#can-i-provide-my-own-name-for-the-aks-node-resource-group-", "FailMessage": "", "Name": "Customized MC_ Resource Group Name", "Recommendation": "Customized MC_ Resource Group Name is enabled.", "Status": "✅ PASS", "Category": "Best Practices", "Total": 0, "Items": null }, "EVENT001": { "Total": 0, "URL": "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#event-v1-core", "Name": "Grouped Warning Events", "Description": "Groups recent Warning events by Reason and Message.", "Recommendation": "Check for recurring issues. Investigate sources using `kubectl describe` or logs.", "Weight": 2, "ID": "EVENT001", "Message": "No issues detected for Grouped Warning Events.", "ResourceKind": "events", "Section": "Kubernetes Events", "Category": "Events", "Severity": "medium", "Items": [] }, "WRK002": { "Total": 0, "URL": "https://kubernetes.io/docs/concepts/workloads/controllers/deployment/", "Name": "Deployment Missing Replicas", "Description": "Detects Deployments where the number of available replicas is less than desired.", "Recommendation": "Check Deployments that are not meeting their replica count. This may indicate rollout issues or failed pods.", "Weight": 3, "ID": "WRK002", "Message": "No issues detected for Deployment Missing Replicas.", "ResourceKind": "Deployment", "Section": "Workloads", "Category": "Workloads", "Severity": "Warning", "Items": [] }, "SEC003": { "Total": 380, "URL": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", "Name": "Pods Running as Root", "Description": "Detects pods running with UID 0 or no explicit runAsUser setting (defaults to root).", "Recommendation": "Avoid running pods as root by explicitly setting runAsUser to a non-zero UID in pod or container securityContext.", "Weight": 5, "ID": "SEC003", "ResourceKind": "Pod", "Section": "Security", "Category": "Pod Security", "Severity": "High", "Items": [ { "Namespace": "aks-istio-ingress", "Resource": "pod/aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "aks-istio-ingress", "Resource": "pod/aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "aks-istio-ingress", "Resource": "pod/aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "aks-istio-ingress", "Resource": "pod/aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "aks-istio-system", "Resource": "pod/istiod-asm-1-23-7744d5fbf4-9572m", "Value": "Not Set (Defaults to root)", "Message": "Container discovery runs as root or has no runAsUser set" }, { "Namespace": "aks-istio-system", "Resource": "pod/istiod-asm-1-23-7744d5fbf4-9572m", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "aks-istio-system", "Resource": "pod/istiod-asm-1-23-7744d5fbf4-9572m", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "aks-istio-system", "Resource": "pod/istiod-asm-1-23-7744d5fbf4-rqzvt", "Value": "Not Set (Defaults to root)", "Message": "Container discovery runs as root or has no runAsUser set" }, { "Namespace": "aks-istio-system", "Resource": "pod/istiod-asm-1-23-7744d5fbf4-rqzvt", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "aks-istio-system", "Resource": "pod/istiod-asm-1-23-7744d5fbf4-rqzvt", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "app-routing-system", "Resource": "pod/nginx-69fcb489fd-4wgk9", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "app-routing-system", "Resource": "pod/nginx-69fcb489fd-4wgk9", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "app-routing-system", "Resource": "pod/nginx-69fcb489fd-64v6k", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "app-routing-system", "Resource": "pod/nginx-69fcb489fd-64v6k", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "argo-rollouts", "Resource": "pod/simple-deployment-74fd649f8d-996vt", "Value": "Not Set (Defaults to root)", "Message": "Container webserver-simple runs as root or has no runAsUser set" }, { "Namespace": "argo-rollouts", "Resource": "pod/simple-deployment-74fd649f8d-996vt", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "argo-rollouts", "Resource": "pod/simple-deployment-74fd649f8d-996vt", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "argo-workflows", "Resource": "pod/simple-deployment-74fd649f8d-24t56", "Value": "Not Set (Defaults to root)", "Message": "Container webserver-simple runs as root or has no runAsUser set" }, { "Namespace": "argo-workflows", "Resource": "pod/simple-deployment-74fd649f8d-24t56", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "argo-workflows", "Resource": "pod/simple-deployment-74fd649f8d-24t56", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-application-controller-0", "Value": "Not Set (Defaults to root)", "Message": "Container argocd-application-controller runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-application-controller-0", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-application-controller-0", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-applicationset-controller-6fdf84dbb6-msffz", "Value": "Not Set (Defaults to root)", "Message": "Container argocd-applicationset-controller runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-applicationset-controller-6fdf84dbb6-msffz", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-applicationset-controller-6fdf84dbb6-msffz", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-dex-server-556c76889-h4kxj", "Value": "Not Set (Defaults to root)", "Message": "Container dex runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-dex-server-556c76889-h4kxj", "Value": "Not Set (Defaults to root)", "Message": "Container copyutil runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-dex-server-556c76889-h4kxj", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-notifications-controller-6ff6bf8dd6-nbktr", "Value": "Not Set (Defaults to root)", "Message": "Container argocd-notifications-controller runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-notifications-controller-6ff6bf8dd6-nbktr", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-notifications-controller-6ff6bf8dd6-nbktr", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-repo-server-8568fc89b5-sx6ks", "Value": "Not Set (Defaults to root)", "Message": "Container argocd-repo-server runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-repo-server-8568fc89b5-sx6ks", "Value": "Not Set (Defaults to root)", "Message": "Container copyutil runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-repo-server-8568fc89b5-sx6ks", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-repo-server-8568fc89b5-xrzzn", "Value": "Not Set (Defaults to root)", "Message": "Container argocd-repo-server runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-repo-server-8568fc89b5-xrzzn", "Value": "Not Set (Defaults to root)", "Message": "Container copyutil runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-repo-server-8568fc89b5-xrzzn", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-server-54f9645b87-k4rz8", "Value": "Not Set (Defaults to root)", "Message": "Container argocd-server runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-server-54f9645b87-k4rz8", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-server-54f9645b87-k4rz8", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-server-54f9645b87-wwzgz", "Value": "Not Set (Defaults to root)", "Message": "Container argocd-server runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-server-54f9645b87-wwzgz", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "argocd", "Resource": "pod/argocd-server-54f9645b87-wwzgz", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "cert-manager", "Resource": "pod/simple-deployment-74fd649f8d-7cht8", "Value": "Not Set (Defaults to root)", "Message": "Container webserver-simple runs as root or has no runAsUser set" }, { "Namespace": "cert-manager", "Resource": "pod/simple-deployment-74fd649f8d-7cht8", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "cert-manager", "Resource": "pod/simple-deployment-74fd649f8d-7cht8", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "gatekeeper-system", "Resource": "pod/gatekeeper-audit-77858c8f69-7k782", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "gatekeeper-system", "Resource": "pod/gatekeeper-audit-77858c8f69-7k782", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "gatekeeper-system", "Resource": "pod/gatekeeper-controller-6f97954b4b-7tbnr", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "gatekeeper-system", "Resource": "pod/gatekeeper-controller-6f97954b4b-7tbnr", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "gatekeeper-system", "Resource": "pod/gatekeeper-controller-6f97954b4b-gwrgg", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "gatekeeper-system", "Resource": "pod/gatekeeper-controller-6f97954b4b-gwrgg", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "grafana", "Resource": "pod/simple-deployment-74fd649f8d-l7wrd", "Value": "Not Set (Defaults to root)", "Message": "Container webserver-simple runs as root or has no runAsUser set" }, { "Namespace": "grafana", "Resource": "pod/simple-deployment-74fd649f8d-l7wrd", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "grafana", "Resource": "pod/simple-deployment-74fd649f8d-l7wrd", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kiali-operator", "Resource": "pod/kiali-5b88cfb6f8-cm8dz", "Value": "Not Set (Defaults to root)", "Message": "Container kiali runs as root or has no runAsUser set" }, { "Namespace": "kiali-operator", "Resource": "pod/kiali-5b88cfb6f8-cm8dz", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kiali-operator", "Resource": "pod/kiali-5b88cfb6f8-cm8dz", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kiali-operator", "Resource": "pod/kiali-operator-696bd54db-mr8md", "Value": "Not Set (Defaults to root)", "Message": "Container operator runs as root or has no runAsUser set" }, { "Namespace": "kiali-operator", "Resource": "pod/kiali-operator-696bd54db-mr8md", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kiali-operator", "Resource": "pod/kiali-operator-696bd54db-mr8md", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-2l2wl", "Value": "Not Set (Defaults to root)", "Message": "Container node-driver-registrar runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-2l2wl", "Value": "Not Set (Defaults to root)", "Message": "Container secrets-store runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-2l2wl", "Value": "Not Set (Defaults to root)", "Message": "Container liveness-probe runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-2l2wl", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-2l2wl", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-6w2vp", "Value": "Not Set (Defaults to root)", "Message": "Container node-driver-registrar runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-6w2vp", "Value": "Not Set (Defaults to root)", "Message": "Container secrets-store runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-6w2vp", "Value": "Not Set (Defaults to root)", "Message": "Container liveness-probe runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-6w2vp", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-6w2vp", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-7879c", "Value": "Not Set (Defaults to root)", "Message": "Container node-driver-registrar runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-7879c", "Value": "Not Set (Defaults to root)", "Message": "Container secrets-store runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-7879c", "Value": "Not Set (Defaults to root)", "Message": "Container liveness-probe runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-7879c", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-7879c", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-m8m29", "Value": "Not Set (Defaults to root)", "Message": "Container node-driver-registrar runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-m8m29", "Value": "Not Set (Defaults to root)", "Message": "Container secrets-store runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-m8m29", "Value": "Not Set (Defaults to root)", "Message": "Container liveness-probe runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-m8m29", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-m8m29", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-vnmcd", "Value": "Not Set (Defaults to root)", "Message": "Container node-driver-registrar runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-vnmcd", "Value": "Not Set (Defaults to root)", "Message": "Container secrets-store runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-vnmcd", "Value": "Not Set (Defaults to root)", "Message": "Container liveness-probe runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-vnmcd", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-vnmcd", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-zrfbz", "Value": "Not Set (Defaults to root)", "Message": "Container node-driver-registrar runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-zrfbz", "Value": "Not Set (Defaults to root)", "Message": "Container secrets-store runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-zrfbz", "Value": "Not Set (Defaults to root)", "Message": "Container liveness-probe runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-zrfbz", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-zrfbz", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-68nhw", "Value": "Not Set (Defaults to root)", "Message": "Container provider-azure-installer runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-68nhw", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-68nhw", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-7bqmn", "Value": "Not Set (Defaults to root)", "Message": "Container provider-azure-installer runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-7bqmn", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-7bqmn", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-7r458", "Value": "Not Set (Defaults to root)", "Message": "Container provider-azure-installer runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-7r458", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-7r458", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-k9tdc", "Value": "Not Set (Defaults to root)", "Message": "Container provider-azure-installer runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-k9tdc", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-k9tdc", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-n952g", "Value": "Not Set (Defaults to root)", "Message": "Container provider-azure-installer runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-n952g", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-n952g", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-njpqh", "Value": "Not Set (Defaults to root)", "Message": "Container provider-azure-installer runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-njpqh", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-njpqh", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-4v8mz", "Value": "Not Set (Defaults to root)", "Message": "Container ama-logs runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-4v8mz", "Value": "Not Set (Defaults to root)", "Message": "Container ama-logs-prometheus runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-4v8mz", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-4v8mz", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-5vr2w", "Value": "Not Set (Defaults to root)", "Message": "Container ama-logs runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-5vr2w", "Value": "Not Set (Defaults to root)", "Message": "Container ama-logs-prometheus runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-5vr2w", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-5vr2w", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-fmd7b", "Value": "Not Set (Defaults to root)", "Message": "Container ama-logs runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-fmd7b", "Value": "Not Set (Defaults to root)", "Message": "Container ama-logs-prometheus runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-fmd7b", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-fmd7b", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-fpkw6", "Value": "Not Set (Defaults to root)", "Message": "Container ama-logs runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-fpkw6", "Value": "Not Set (Defaults to root)", "Message": "Container ama-logs-prometheus runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-fpkw6", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-fpkw6", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-gqs28", "Value": "Not Set (Defaults to root)", "Message": "Container ama-logs runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-gqs28", "Value": "Not Set (Defaults to root)", "Message": "Container ama-logs-prometheus runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-gqs28", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-gqs28", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-ndxrw", "Value": "Not Set (Defaults to root)", "Message": "Container ama-logs runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-ndxrw", "Value": "Not Set (Defaults to root)", "Message": "Container ama-logs-prometheus runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-ndxrw", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-ndxrw", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-rs-64765bd4b9-ldxwl", "Value": "Not Set (Defaults to root)", "Message": "Container ama-logs runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-rs-64765bd4b9-ldxwl", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-rs-64765bd4b9-ldxwl", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-7f878d975f-hlggb", "Value": "Not Set (Defaults to root)", "Message": "Container prometheus-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-7f878d975f-hlggb", "Value": "Not Set (Defaults to root)", "Message": "Container addon-token-adapter runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-7f878d975f-hlggb", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-7f878d975f-hlggb", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-7f878d975f-q2mlg", "Value": "Not Set (Defaults to root)", "Message": "Container prometheus-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-7f878d975f-q2mlg", "Value": "Not Set (Defaults to root)", "Message": "Container addon-token-adapter runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-7f878d975f-q2mlg", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-7f878d975f-q2mlg", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-2ssrw", "Value": "Not Set (Defaults to root)", "Message": "Container prometheus-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-2ssrw", "Value": "Not Set (Defaults to root)", "Message": "Container addon-token-adapter runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-2ssrw", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-2ssrw", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-6kkz8", "Value": "Not Set (Defaults to root)", "Message": "Container prometheus-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-6kkz8", "Value": "Not Set (Defaults to root)", "Message": "Container addon-token-adapter runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-6kkz8", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-6kkz8", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-9h44h", "Value": "Not Set (Defaults to root)", "Message": "Container prometheus-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-9h44h", "Value": "Not Set (Defaults to root)", "Message": "Container addon-token-adapter runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-9h44h", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-9h44h", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-lhk42", "Value": "Not Set (Defaults to root)", "Message": "Container prometheus-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-lhk42", "Value": "Not Set (Defaults to root)", "Message": "Container addon-token-adapter runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-lhk42", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-lhk42", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-nm5bf", "Value": "Not Set (Defaults to root)", "Message": "Container prometheus-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-nm5bf", "Value": "Not Set (Defaults to root)", "Message": "Container addon-token-adapter runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-nm5bf", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-nm5bf", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-pqcz5", "Value": "Not Set (Defaults to root)", "Message": "Container prometheus-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-pqcz5", "Value": "Not Set (Defaults to root)", "Message": "Container addon-token-adapter runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-pqcz5", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-node-pqcz5", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-operator-targets-66fb46c8d6-vskdg", "Value": "Not Set (Defaults to root)", "Message": "Container targetallocator runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-operator-targets-66fb46c8d6-vskdg", "Value": "Not Set (Defaults to root)", "Message": "Container config-reader runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-operator-targets-66fb46c8d6-vskdg", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/ama-metrics-operator-targets-66fb46c8d6-vskdg", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-4522j", "Value": "Not Set (Defaults to root)", "Message": "Container azure-ip-masq-agent runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-4522j", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-4522j", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-4c7cr", "Value": "Not Set (Defaults to root)", "Message": "Container azure-ip-masq-agent runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-4c7cr", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-4c7cr", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-78rnw", "Value": "Not Set (Defaults to root)", "Message": "Container azure-ip-masq-agent runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-78rnw", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-78rnw", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-84ltn", "Value": "Not Set (Defaults to root)", "Message": "Container azure-ip-masq-agent runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-84ltn", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-84ltn", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-t4c2w", "Value": "Not Set (Defaults to root)", "Message": "Container azure-ip-masq-agent runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-t4c2w", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-t4c2w", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-vbdd8", "Value": "Not Set (Defaults to root)", "Message": "Container azure-ip-masq-agent runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-vbdd8", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-vbdd8", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-jsbbh", "Value": "Not Set (Defaults to root)", "Message": "Container azure-npm runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-jsbbh", "Value": "Not Set (Defaults to root)", "Message": "Container block-wireserver runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-jsbbh", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-lp6sf", "Value": "Not Set (Defaults to root)", "Message": "Container azure-npm runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-lp6sf", "Value": "Not Set (Defaults to root)", "Message": "Container block-wireserver runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-lp6sf", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-nv6xx", "Value": "Not Set (Defaults to root)", "Message": "Container azure-npm runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-nv6xx", "Value": "Not Set (Defaults to root)", "Message": "Container block-wireserver runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-nv6xx", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-p6fpw", "Value": "Not Set (Defaults to root)", "Message": "Container azure-npm runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-p6fpw", "Value": "Not Set (Defaults to root)", "Message": "Container block-wireserver runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-p6fpw", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-vsrfp", "Value": "Not Set (Defaults to root)", "Message": "Container azure-npm runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-vsrfp", "Value": "Not Set (Defaults to root)", "Message": "Container block-wireserver runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-vsrfp", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-z8mcz", "Value": "Not Set (Defaults to root)", "Message": "Container azure-npm runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-z8mcz", "Value": "Not Set (Defaults to root)", "Message": "Container block-wireserver runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-z8mcz", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-policy-698f7c86b4-nnff2", "Value": "Not Set (Defaults to root)", "Message": "Container azure-policy runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-policy-698f7c86b4-nnff2", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-policy-698f7c86b4-nnff2", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-policy-webhook-764fdf5cd5-6vrc5", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-policy-webhook-764fdf5cd5-6vrc5", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-wi-webhook-controller-manager-7f95f666d4-7r44b", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-wi-webhook-controller-manager-7f95f666d4-7r44b", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-wi-webhook-controller-manager-7f95f666d4-xfh2p", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/azure-wi-webhook-controller-manager-7f95f666d4-xfh2p", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-57rk2", "Value": "Not Set (Defaults to root)", "Message": "Container cloud-node-manager runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-57rk2", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-57rk2", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-gl5xl", "Value": "Not Set (Defaults to root)", "Message": "Container cloud-node-manager runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-gl5xl", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-gl5xl", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-l7v5j", "Value": "Not Set (Defaults to root)", "Message": "Container cloud-node-manager runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-l7v5j", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-l7v5j", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-lr49d", "Value": "Not Set (Defaults to root)", "Message": "Container cloud-node-manager runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-lr49d", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-lr49d", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-n5qdr", "Value": "Not Set (Defaults to root)", "Message": "Container cloud-node-manager runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-n5qdr", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-n5qdr", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-xwrrd", "Value": "Not Set (Defaults to root)", "Message": "Container cloud-node-manager runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-xwrrd", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-xwrrd", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/coredns-658d6d767d-757xp", "Value": "Not Set (Defaults to root)", "Message": "Container coredns runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/coredns-658d6d767d-757xp", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/coredns-658d6d767d-757xp", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/coredns-658d6d767d-pt6l6", "Value": "Not Set (Defaults to root)", "Message": "Container coredns runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/coredns-658d6d767d-pt6l6", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/coredns-658d6d767d-pt6l6", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/coredns-autoscaler-5955d6bbdb-mz9kn", "Value": "Not Set (Defaults to root)", "Message": "Container autoscaler runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/coredns-autoscaler-5955d6bbdb-mz9kn", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/coredns-autoscaler-5955d6bbdb-mz9kn", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/eraser-controller-manager-864f9476c8-lhdfc", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/eraser-controller-manager-864f9476c8-lhdfc", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/extension-agent-66c4486d68-46cqq", "Value": "Not Set (Defaults to root)", "Message": "Container extension-agent runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/extension-agent-66c4486d68-46cqq", "Value": "Not Set (Defaults to root)", "Message": "Container fluent-bit runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/extension-agent-66c4486d68-46cqq", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/extension-agent-66c4486d68-46cqq", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/extension-operator-d95fd449b-ssrcx", "Value": "Not Set (Defaults to root)", "Message": "Container manager runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/extension-operator-d95fd449b-ssrcx", "Value": "Not Set (Defaults to root)", "Message": "Container fluent-bit runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/extension-operator-d95fd449b-ssrcx", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/extension-operator-d95fd449b-ssrcx", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/konnectivity-agent-9f65c5cd8-fzm5q", "Value": "Not Set (Defaults to root)", "Message": "Container konnectivity-agent runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/konnectivity-agent-9f65c5cd8-fzm5q", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/konnectivity-agent-9f65c5cd8-fzm5q", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/konnectivity-agent-9f65c5cd8-t9qdj", "Value": "Not Set (Defaults to root)", "Message": "Container konnectivity-agent runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/konnectivity-agent-9f65c5cd8-t9qdj", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/konnectivity-agent-9f65c5cd8-t9qdj", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/konnectivity-agent-autoscaler-cdfc7c46-vct7p", "Value": "Not Set (Defaults to root)", "Message": "Container autoscaler runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/konnectivity-agent-autoscaler-cdfc7c46-vct7p", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/konnectivity-agent-autoscaler-cdfc7c46-vct7p", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-26xkd", "Value": "Not Set (Defaults to root)", "Message": "Container kube-proxy runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-26xkd", "Value": "Not Set (Defaults to root)", "Message": "Container kube-proxy-bootstrap runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-26xkd", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-6mrql", "Value": "Not Set (Defaults to root)", "Message": "Container kube-proxy runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-6mrql", "Value": "Not Set (Defaults to root)", "Message": "Container kube-proxy-bootstrap runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-6mrql", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-9rbxf", "Value": "Not Set (Defaults to root)", "Message": "Container kube-proxy runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-9rbxf", "Value": "Not Set (Defaults to root)", "Message": "Container kube-proxy-bootstrap runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-9rbxf", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-njzgk", "Value": "Not Set (Defaults to root)", "Message": "Container kube-proxy runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-njzgk", "Value": "Not Set (Defaults to root)", "Message": "Container kube-proxy-bootstrap runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-njzgk", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-rvmxl", "Value": "Not Set (Defaults to root)", "Message": "Container kube-proxy runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-rvmxl", "Value": "Not Set (Defaults to root)", "Message": "Container kube-proxy-bootstrap runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-rvmxl", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-vp7xj", "Value": "Not Set (Defaults to root)", "Message": "Container kube-proxy runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-vp7xj", "Value": "Not Set (Defaults to root)", "Message": "Container kube-proxy-bootstrap runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-vp7xj", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/metrics-server-5f9ccffcc4-jsrjl", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/metrics-server-5f9ccffcc4-jsrjl", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/metrics-server-5f9ccffcc4-v88pw", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/metrics-server-5f9ccffcc4-v88pw", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-6xdfq", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-pod-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-6xdfq", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-low-level-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-6xdfq", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-6xdfq", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-89l74", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-pod-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-89l74", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-low-level-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-89l74", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-89l74", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-d7gwk", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-pod-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-d7gwk", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-low-level-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-d7gwk", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-d7gwk", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-mdcs8", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-pod-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-mdcs8", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-low-level-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-mdcs8", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-mdcs8", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-q6d6c", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-pod-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-q6d6c", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-low-level-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-q6d6c", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-q6d6c", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-wb5dm", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-pod-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-wb5dm", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-low-level-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-wb5dm", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-ds-wb5dm", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-misc-7df6776447-bcbph", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-pod-collector runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-misc-7df6776447-bcbph", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-collector-misc-7df6776447-bcbph", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-publisher-ds-2ql5b", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-publisher runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-publisher-ds-2ql5b", "Value": "Not Set (Defaults to root)", "Message": "Container old-file-cleaner runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-publisher-ds-2ql5b", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-publisher-ds-2rsrw", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-publisher runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-publisher-ds-2rsrw", "Value": "Not Set (Defaults to root)", "Message": "Container old-file-cleaner runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-publisher-ds-2rsrw", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-publisher-ds-jj6dh", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-publisher runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-publisher-ds-jj6dh", "Value": "Not Set (Defaults to root)", "Message": "Container old-file-cleaner runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-publisher-ds-jj6dh", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-publisher-ds-l5crs", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-publisher runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-publisher-ds-l5crs", "Value": "Not Set (Defaults to root)", "Message": "Container old-file-cleaner runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-publisher-ds-l5crs", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-publisher-ds-lfk8h", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-publisher runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-publisher-ds-lfk8h", "Value": "Not Set (Defaults to root)", "Message": "Container old-file-cleaner runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-publisher-ds-lfk8h", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-publisher-ds-vz2c6", "Value": "Not Set (Defaults to root)", "Message": "Container microsoft-defender-publisher runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-publisher-ds-vz2c6", "Value": "Not Set (Defaults to root)", "Message": "Container old-file-cleaner runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/microsoft-defender-publisher-ds-vz2c6", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-cgv48", "Value": "Not Set (Defaults to root)", "Message": "Container retina runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-cgv48", "Value": "Not Set (Defaults to root)", "Message": "Container retina-agent-init runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-cgv48", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-gjxk8", "Value": "Not Set (Defaults to root)", "Message": "Container retina runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-gjxk8", "Value": "Not Set (Defaults to root)", "Message": "Container retina-agent-init runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-gjxk8", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-js76w", "Value": "Not Set (Defaults to root)", "Message": "Container retina runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-js76w", "Value": "Not Set (Defaults to root)", "Message": "Container retina-agent-init runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-js76w", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-lfn7d", "Value": "Not Set (Defaults to root)", "Message": "Container retina runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-lfn7d", "Value": "Not Set (Defaults to root)", "Message": "Container retina-agent-init runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-lfn7d", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-qc9bs", "Value": "Not Set (Defaults to root)", "Message": "Container retina runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-qc9bs", "Value": "Not Set (Defaults to root)", "Message": "Container retina-agent-init runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-qc9bs", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-wlt7b", "Value": "Not Set (Defaults to root)", "Message": "Container retina runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-wlt7b", "Value": "Not Set (Defaults to root)", "Message": "Container retina-agent-init runs as root or has no runAsUser set" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-wlt7b", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kubeview", "Resource": "pod/simple-deployment-74fd649f8d-qxp2r", "Value": "Not Set (Defaults to root)", "Message": "Container webserver-simple runs as root or has no runAsUser set" }, { "Namespace": "kubeview", "Resource": "pod/simple-deployment-74fd649f8d-qxp2r", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "kubeview", "Resource": "pod/simple-deployment-74fd649f8d-qxp2r", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "linkerd", "Resource": "pod/simple-deployment-74fd649f8d-mkmst", "Value": "Not Set (Defaults to root)", "Message": "Container webserver-simple runs as root or has no runAsUser set" }, { "Namespace": "linkerd", "Resource": "pod/simple-deployment-74fd649f8d-mkmst", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "linkerd", "Resource": "pod/simple-deployment-74fd649f8d-mkmst", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "nginx", "Resource": "pod/simple-deployment-74fd649f8d-hlcdk", "Value": "Not Set (Defaults to root)", "Message": "Container webserver-simple runs as root or has no runAsUser set" }, { "Namespace": "nginx", "Resource": "pod/simple-deployment-74fd649f8d-hlcdk", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "nginx", "Resource": "pod/simple-deployment-74fd649f8d-hlcdk", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "pets", "Resource": "pod/order-service-6c5bfb6946-b58xq", "Value": "Not Set (Defaults to root)", "Message": "Container order-service runs as root or has no runAsUser set" }, { "Namespace": "pets", "Resource": "pod/order-service-6c5bfb6946-b58xq", "Value": "Not Set (Defaults to root)", "Message": "Container wait-for-rabbitmq runs as root or has no runAsUser set" }, { "Namespace": "pets", "Resource": "pod/order-service-6c5bfb6946-b58xq", "Value": "Not Set (Defaults to root)", "Message": "Container istio-init runs as root or has no runAsUser set" }, { "Namespace": "pets", "Resource": "pod/order-service-6c5bfb6946-b58xq", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "pets", "Resource": "pod/product-service-5dd87dfb8-ssfxc", "Value": "Not Set (Defaults to root)", "Message": "Container product-service runs as root or has no runAsUser set" }, { "Namespace": "pets", "Resource": "pod/product-service-5dd87dfb8-ssfxc", "Value": "Not Set (Defaults to root)", "Message": "Container istio-init runs as root or has no runAsUser set" }, { "Namespace": "pets", "Resource": "pod/product-service-5dd87dfb8-ssfxc", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "pets", "Resource": "pod/rabbitmq-0", "Value": "Not Set (Defaults to root)", "Message": "Container rabbitmq runs as root or has no runAsUser set" }, { "Namespace": "pets", "Resource": "pod/rabbitmq-0", "Value": "Not Set (Defaults to root)", "Message": "Container istio-init runs as root or has no runAsUser set" }, { "Namespace": "pets", "Resource": "pod/rabbitmq-0", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "pets", "Resource": "pod/store-front-658994fd95-pk9qn", "Value": "Not Set (Defaults to root)", "Message": "Container store-front runs as root or has no runAsUser set" }, { "Namespace": "pets", "Resource": "pod/store-front-658994fd95-pk9qn", "Value": "Not Set (Defaults to root)", "Message": "Container istio-init runs as root or has no runAsUser set" }, { "Namespace": "pets", "Resource": "pod/store-front-658994fd95-pk9qn", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "prometheus", "Resource": "pod/simple-deployment-74fd649f8d-2x6w5", "Value": "Not Set (Defaults to root)", "Message": "Container webserver-simple runs as root or has no runAsUser set" }, { "Namespace": "prometheus", "Resource": "pod/simple-deployment-74fd649f8d-2x6w5", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "prometheus", "Resource": "pod/simple-deployment-74fd649f8d-2x6w5", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "sealed-secrets", "Resource": "pod/simple-deployment-74fd649f8d-stktp", "Value": "Not Set (Defaults to root)", "Message": "Container webserver-simple runs as root or has no runAsUser set" }, { "Namespace": "sealed-secrets", "Resource": "pod/simple-deployment-74fd649f8d-stktp", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "sealed-secrets", "Resource": "pod/simple-deployment-74fd649f8d-stktp", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "test", "Resource": "pod/simple-deployment-74fd649f8d-lhlkx", "Value": "Not Set (Defaults to root)", "Message": "Container webserver-simple runs as root or has no runAsUser set" }, { "Namespace": "test", "Resource": "pod/simple-deployment-74fd649f8d-lhlkx", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" }, { "Namespace": "test", "Resource": "pod/simple-deployment-74fd649f8d-lhlkx", "Value": "Not Set (Defaults to root)", "Message": "Container runs as root or has no runAsUser set" } ] }, "AKSRES001": { "ID": "AKSRES001", "Severity": "Medium", "URL": "https://learn.microsoft.com/azure/aks/cluster-autoscaler", "FailMessage": "", "Name": "Cluster Autoscaler", "Recommendation": "Cluster Autoscaler is enabled.", "Status": "✅ PASS", "Category": "Resource Management", "Total": 0, "Items": null }, "SEC010": { "Total": 309, "URL": "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath", "Name": "HostPath Volume Usage", "Description": "Flags pods that use hostPath volumes, which mount parts of the host filesystem. This bypasses isolation and can be dangerous if misused.\n", "Recommendation": "Avoid using hostPath unless absolutely necessary. Use persistent volumes instead.", "Weight": 3, "ID": "SEC010", "ResourceKind": "Pod", "Section": "Security", "Category": "Pod Security", "Severity": "High", "Items": [ { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-2l2wl", "Volume": "mountpoint-dir", "Path": "/var/lib/kubelet/pods", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-2l2wl", "Volume": "registration-dir", "Path": "/var/lib/kubelet/plugins_registry/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-2l2wl", "Volume": "plugin-dir", "Path": "/var/lib/kubelet/plugins/csi-secrets-store/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-2l2wl", "Volume": "providers-dir", "Path": "/var/run/secrets-store-csi-providers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-2l2wl", "Volume": "providers-dir-0", "Path": "/etc/kubernetes/secrets-store-csi-providers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-6w2vp", "Volume": "mountpoint-dir", "Path": "/var/lib/kubelet/pods", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-6w2vp", "Volume": "registration-dir", "Path": "/var/lib/kubelet/plugins_registry/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-6w2vp", "Volume": "plugin-dir", "Path": "/var/lib/kubelet/plugins/csi-secrets-store/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-6w2vp", "Volume": "providers-dir", "Path": "/var/run/secrets-store-csi-providers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-6w2vp", "Volume": "providers-dir-0", "Path": "/etc/kubernetes/secrets-store-csi-providers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-7879c", "Volume": "mountpoint-dir", "Path": "/var/lib/kubelet/pods", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-7879c", "Volume": "registration-dir", "Path": "/var/lib/kubelet/plugins_registry/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-7879c", "Volume": "plugin-dir", "Path": "/var/lib/kubelet/plugins/csi-secrets-store/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-7879c", "Volume": "providers-dir", "Path": "/var/run/secrets-store-csi-providers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-7879c", "Volume": "providers-dir-0", "Path": "/etc/kubernetes/secrets-store-csi-providers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-m8m29", "Volume": "mountpoint-dir", "Path": "/var/lib/kubelet/pods", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-m8m29", "Volume": "registration-dir", "Path": "/var/lib/kubelet/plugins_registry/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-m8m29", "Volume": "plugin-dir", "Path": "/var/lib/kubelet/plugins/csi-secrets-store/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-m8m29", "Volume": "providers-dir", "Path": "/var/run/secrets-store-csi-providers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-m8m29", "Volume": "providers-dir-0", "Path": "/etc/kubernetes/secrets-store-csi-providers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-vnmcd", "Volume": "mountpoint-dir", "Path": "/var/lib/kubelet/pods", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-vnmcd", "Volume": "registration-dir", "Path": "/var/lib/kubelet/plugins_registry/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-vnmcd", "Volume": "plugin-dir", "Path": "/var/lib/kubelet/plugins/csi-secrets-store/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-vnmcd", "Volume": "providers-dir", "Path": "/var/run/secrets-store-csi-providers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-vnmcd", "Volume": "providers-dir-0", "Path": "/etc/kubernetes/secrets-store-csi-providers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-zrfbz", "Volume": "mountpoint-dir", "Path": "/var/lib/kubelet/pods", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-zrfbz", "Volume": "registration-dir", "Path": "/var/lib/kubelet/plugins_registry/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-zrfbz", "Volume": "plugin-dir", "Path": "/var/lib/kubelet/plugins/csi-secrets-store/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-zrfbz", "Volume": "providers-dir", "Path": "/var/run/secrets-store-csi-providers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-zrfbz", "Volume": "providers-dir-0", "Path": "/etc/kubernetes/secrets-store-csi-providers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-68nhw", "Volume": "provider-vol", "Path": "/var/run/secrets-store-csi-providers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-7bqmn", "Volume": "provider-vol", "Path": "/var/run/secrets-store-csi-providers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-7r458", "Volume": "provider-vol", "Path": "/var/run/secrets-store-csi-providers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-k9tdc", "Volume": "provider-vol", "Path": "/var/run/secrets-store-csi-providers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-n952g", "Volume": "provider-vol", "Path": "/var/run/secrets-store-csi-providers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-njpqh", "Volume": "provider-vol", "Path": "/var/run/secrets-store-csi-providers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-4v8mz", "Volume": "host-root", "Path": "/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-4v8mz", "Volume": "container-hostname", "Path": "/etc/hostname", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-4v8mz", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-4v8mz", "Volume": "mdsd-sock", "Path": "/var/run/mdsd-ci", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-4v8mz", "Volume": "containerlog-path", "Path": "/var/lib/docker/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-4v8mz", "Volume": "containerlog-path-2", "Path": "/mnt/docker", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-4v8mz", "Volume": "containerlog-path-3", "Path": "/mnt/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-4v8mz", "Volume": "azure-json-path", "Path": "/etc/kubernetes", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-5vr2w", "Volume": "host-root", "Path": "/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-5vr2w", "Volume": "container-hostname", "Path": "/etc/hostname", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-5vr2w", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-5vr2w", "Volume": "mdsd-sock", "Path": "/var/run/mdsd-ci", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-5vr2w", "Volume": "containerlog-path", "Path": "/var/lib/docker/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-5vr2w", "Volume": "containerlog-path-2", "Path": "/mnt/docker", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-5vr2w", "Volume": "containerlog-path-3", "Path": "/mnt/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-5vr2w", "Volume": "azure-json-path", "Path": "/etc/kubernetes", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-fmd7b", "Volume": "host-root", "Path": "/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-fmd7b", "Volume": "container-hostname", "Path": "/etc/hostname", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-fmd7b", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-fmd7b", "Volume": "mdsd-sock", "Path": "/var/run/mdsd-ci", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-fmd7b", "Volume": "containerlog-path", "Path": "/var/lib/docker/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-fmd7b", "Volume": "containerlog-path-2", "Path": "/mnt/docker", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-fmd7b", "Volume": "containerlog-path-3", "Path": "/mnt/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-fmd7b", "Volume": "azure-json-path", "Path": "/etc/kubernetes", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-fpkw6", "Volume": "host-root", "Path": "/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-fpkw6", "Volume": "container-hostname", "Path": "/etc/hostname", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-fpkw6", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-fpkw6", "Volume": "mdsd-sock", "Path": "/var/run/mdsd-ci", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-fpkw6", "Volume": "containerlog-path", "Path": "/var/lib/docker/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-fpkw6", "Volume": "containerlog-path-2", "Path": "/mnt/docker", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-fpkw6", "Volume": "containerlog-path-3", "Path": "/mnt/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-fpkw6", "Volume": "azure-json-path", "Path": "/etc/kubernetes", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-gqs28", "Volume": "host-root", "Path": "/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-gqs28", "Volume": "container-hostname", "Path": "/etc/hostname", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-gqs28", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-gqs28", "Volume": "mdsd-sock", "Path": "/var/run/mdsd-ci", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-gqs28", "Volume": "containerlog-path", "Path": "/var/lib/docker/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-gqs28", "Volume": "containerlog-path-2", "Path": "/mnt/docker", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-gqs28", "Volume": "containerlog-path-3", "Path": "/mnt/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-gqs28", "Volume": "azure-json-path", "Path": "/etc/kubernetes", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-ndxrw", "Volume": "host-root", "Path": "/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-ndxrw", "Volume": "container-hostname", "Path": "/etc/hostname", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-ndxrw", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-ndxrw", "Volume": "mdsd-sock", "Path": "/var/run/mdsd-ci", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-ndxrw", "Volume": "containerlog-path", "Path": "/var/lib/docker/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-ndxrw", "Volume": "containerlog-path-2", "Path": "/mnt/docker", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-ndxrw", "Volume": "containerlog-path-3", "Path": "/mnt/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-ndxrw", "Volume": "azure-json-path", "Path": "/etc/kubernetes", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-rs-64765bd4b9-ldxwl", "Volume": "container-hostname", "Path": "/etc/hostname", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-rs-64765bd4b9-ldxwl", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-rs-64765bd4b9-ldxwl", "Volume": "azure-json-path", "Path": "/etc/kubernetes", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-hlggb", "Volume": "host-log-containers", "Path": "/var/log/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-hlggb", "Volume": "host-log-pods", "Path": "/var/log/pods", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-hlggb", "Volume": "anchors-mariner", "Path": "/etc/pki/ca-trust/anchors/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-hlggb", "Volume": "anchors-ubuntu", "Path": "/usr/local/share/ca-certificates/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-q2mlg", "Volume": "host-log-containers", "Path": "/var/log/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-q2mlg", "Volume": "host-log-pods", "Path": "/var/log/pods", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-q2mlg", "Volume": "anchors-mariner", "Path": "/etc/pki/ca-trust/anchors/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-q2mlg", "Volume": "anchors-ubuntu", "Path": "/usr/local/share/ca-certificates/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-2ssrw", "Volume": "host-log-containers", "Path": "/var/log/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-2ssrw", "Volume": "host-log-pods", "Path": "/var/log/pods", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-2ssrw", "Volume": "anchors-mariner", "Path": "/etc/pki/ca-trust/anchors/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-2ssrw", "Volume": "anchors-ubuntu", "Path": "/usr/local/share/ca-certificates/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-6kkz8", "Volume": "host-log-containers", "Path": "/var/log/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-6kkz8", "Volume": "host-log-pods", "Path": "/var/log/pods", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-6kkz8", "Volume": "anchors-mariner", "Path": "/etc/pki/ca-trust/anchors/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-6kkz8", "Volume": "anchors-ubuntu", "Path": "/usr/local/share/ca-certificates/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-9h44h", "Volume": "host-log-containers", "Path": "/var/log/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-9h44h", "Volume": "host-log-pods", "Path": "/var/log/pods", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-9h44h", "Volume": "anchors-mariner", "Path": "/etc/pki/ca-trust/anchors/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-9h44h", "Volume": "anchors-ubuntu", "Path": "/usr/local/share/ca-certificates/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-lhk42", "Volume": "host-log-containers", "Path": "/var/log/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-lhk42", "Volume": "host-log-pods", "Path": "/var/log/pods", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-lhk42", "Volume": "anchors-mariner", "Path": "/etc/pki/ca-trust/anchors/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-lhk42", "Volume": "anchors-ubuntu", "Path": "/usr/local/share/ca-certificates/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-nm5bf", "Volume": "host-log-containers", "Path": "/var/log/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-nm5bf", "Volume": "host-log-pods", "Path": "/var/log/pods", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-nm5bf", "Volume": "anchors-mariner", "Path": "/etc/pki/ca-trust/anchors/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-nm5bf", "Volume": "anchors-ubuntu", "Path": "/usr/local/share/ca-certificates/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-pqcz5", "Volume": "host-log-containers", "Path": "/var/log/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-pqcz5", "Volume": "host-log-pods", "Path": "/var/log/pods", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-pqcz5", "Volume": "anchors-mariner", "Path": "/etc/pki/ca-trust/anchors/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-pqcz5", "Volume": "anchors-ubuntu", "Path": "/usr/local/share/ca-certificates/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-4522j", "Volume": "iptableslock", "Path": "/run/xtables.lock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-4c7cr", "Volume": "iptableslock", "Path": "/run/xtables.lock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-78rnw", "Volume": "iptableslock", "Path": "/run/xtables.lock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-84ltn", "Volume": "iptableslock", "Path": "/run/xtables.lock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-t4c2w", "Volume": "iptableslock", "Path": "/run/xtables.lock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-vbdd8", "Volume": "iptableslock", "Path": "/run/xtables.lock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-jsbbh", "Volume": "log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-jsbbh", "Volume": "xtables-lock", "Path": "/run/xtables.lock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-jsbbh", "Volume": "protocols", "Path": "/etc/protocols", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-lp6sf", "Volume": "log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-lp6sf", "Volume": "xtables-lock", "Path": "/run/xtables.lock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-lp6sf", "Volume": "protocols", "Path": "/etc/protocols", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-nv6xx", "Volume": "log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-nv6xx", "Volume": "xtables-lock", "Path": "/run/xtables.lock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-nv6xx", "Volume": "protocols", "Path": "/etc/protocols", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-p6fpw", "Volume": "log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-p6fpw", "Volume": "xtables-lock", "Path": "/run/xtables.lock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-p6fpw", "Volume": "protocols", "Path": "/etc/protocols", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-vsrfp", "Volume": "log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-vsrfp", "Volume": "xtables-lock", "Path": "/run/xtables.lock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-vsrfp", "Volume": "protocols", "Path": "/etc/protocols", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-z8mcz", "Volume": "log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-z8mcz", "Volume": "xtables-lock", "Path": "/run/xtables.lock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-z8mcz", "Volume": "protocols", "Path": "/etc/protocols", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-policy-698f7c86b4-nnff2", "Volume": "acs-credential", "Path": "/etc/kubernetes/azure.json", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-policy-698f7c86b4-nnff2", "Volume": "ca-certs", "Path": "/etc/ssl/certs", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "azure-policy-698f7c86b4-nnff2", "Volume": "etc-pki-ca-certs", "Path": "/etc/pki/ca-trust/extracted", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "extension-agent-66c4486d68-46cqq", "Volume": "varlog", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "extension-agent-66c4486d68-46cqq", "Volume": "varlibdockercontainers", "Path": "/var/lib/docker/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "extension-agent-66c4486d68-46cqq", "Volume": "acs-credential", "Path": "/etc/kubernetes/azure.json", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "extension-operator-d95fd449b-ssrcx", "Volume": "varlog", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "extension-operator-d95fd449b-ssrcx", "Volume": "varlibdockercontainers", "Path": "/var/lib/docker/containers", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "extension-operator-d95fd449b-ssrcx", "Volume": "acs-credential", "Path": "/etc/kubernetes/azure.json", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "kube-proxy-26xkd", "Volume": "iptableslock", "Path": "/run/xtables.lock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "kube-proxy-26xkd", "Volume": "sysctls", "Path": "/etc/sysctl.d", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "kube-proxy-26xkd", "Volume": "modules", "Path": "/lib/modules", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "kube-proxy-6mrql", "Volume": "iptableslock", "Path": "/run/xtables.lock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "kube-proxy-6mrql", "Volume": "sysctls", "Path": "/etc/sysctl.d", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "kube-proxy-6mrql", "Volume": "modules", "Path": "/lib/modules", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "kube-proxy-9rbxf", "Volume": "iptableslock", "Path": "/run/xtables.lock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "kube-proxy-9rbxf", "Volume": "sysctls", "Path": "/etc/sysctl.d", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "kube-proxy-9rbxf", "Volume": "modules", "Path": "/lib/modules", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "kube-proxy-njzgk", "Volume": "iptableslock", "Path": "/run/xtables.lock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "kube-proxy-njzgk", "Volume": "sysctls", "Path": "/etc/sysctl.d", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "kube-proxy-njzgk", "Volume": "modules", "Path": "/lib/modules", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "kube-proxy-rvmxl", "Volume": "iptableslock", "Path": "/run/xtables.lock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "kube-proxy-rvmxl", "Volume": "sysctls", "Path": "/etc/sysctl.d", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "kube-proxy-rvmxl", "Volume": "modules", "Path": "/lib/modules", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "kube-proxy-vp7xj", "Volume": "iptableslock", "Path": "/run/xtables.lock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "kube-proxy-vp7xj", "Volume": "sysctls", "Path": "/etc/sysctl.d", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "kube-proxy-vp7xj", "Volume": "modules", "Path": "/lib/modules", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Volume": "debugfs", "Path": "/sys/kernel", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Volume": "modules", "Path": "/lib/modules", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Volume": "usr-src", "Path": "/usr/src", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Volume": "containerd-file-sock", "Path": "/run/containerd/containerd.sock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Volume": "proc", "Path": "/proc", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Volume": "bin", "Path": "/bin", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Volume": "etc", "Path": "/etc", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Volume": "opt", "Path": "/opt", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Volume": "usr", "Path": "/usr", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Volume": "run", "Path": "/run", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Volume": "bpffs", "Path": "/sys/fs/bpf", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Volume": "debugfs", "Path": "/sys/kernel", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Volume": "modules", "Path": "/lib/modules", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Volume": "usr-src", "Path": "/usr/src", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Volume": "containerd-file-sock", "Path": "/run/containerd/containerd.sock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Volume": "proc", "Path": "/proc", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Volume": "bin", "Path": "/bin", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Volume": "etc", "Path": "/etc", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Volume": "opt", "Path": "/opt", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Volume": "usr", "Path": "/usr", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Volume": "run", "Path": "/run", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Volume": "bpffs", "Path": "/sys/fs/bpf", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Volume": "debugfs", "Path": "/sys/kernel", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Volume": "modules", "Path": "/lib/modules", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Volume": "usr-src", "Path": "/usr/src", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Volume": "containerd-file-sock", "Path": "/run/containerd/containerd.sock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Volume": "proc", "Path": "/proc", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Volume": "bin", "Path": "/bin", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Volume": "etc", "Path": "/etc", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Volume": "opt", "Path": "/opt", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Volume": "usr", "Path": "/usr", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Volume": "run", "Path": "/run", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Volume": "bpffs", "Path": "/sys/fs/bpf", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Volume": "debugfs", "Path": "/sys/kernel", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Volume": "modules", "Path": "/lib/modules", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Volume": "usr-src", "Path": "/usr/src", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Volume": "containerd-file-sock", "Path": "/run/containerd/containerd.sock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Volume": "proc", "Path": "/proc", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Volume": "bin", "Path": "/bin", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Volume": "etc", "Path": "/etc", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Volume": "opt", "Path": "/opt", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Volume": "usr", "Path": "/usr", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Volume": "run", "Path": "/run", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Volume": "bpffs", "Path": "/sys/fs/bpf", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Volume": "debugfs", "Path": "/sys/kernel", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Volume": "modules", "Path": "/lib/modules", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Volume": "usr-src", "Path": "/usr/src", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Volume": "containerd-file-sock", "Path": "/run/containerd/containerd.sock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Volume": "proc", "Path": "/proc", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Volume": "bin", "Path": "/bin", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Volume": "etc", "Path": "/etc", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Volume": "opt", "Path": "/opt", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Volume": "usr", "Path": "/usr", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Volume": "run", "Path": "/run", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Volume": "bpffs", "Path": "/sys/fs/bpf", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Volume": "debugfs", "Path": "/sys/kernel", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Volume": "modules", "Path": "/lib/modules", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Volume": "usr-src", "Path": "/usr/src", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Volume": "containerd-file-sock", "Path": "/run/containerd/containerd.sock", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Volume": "proc", "Path": "/proc", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Volume": "bin", "Path": "/bin", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Volume": "etc", "Path": "/etc", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Volume": "opt", "Path": "/opt", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Volume": "usr", "Path": "/usr", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Volume": "run", "Path": "/run", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Volume": "bpffs", "Path": "/sys/fs/bpf", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-misc-7df6776447-bcbph", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2ql5b", "Volume": "cert-onboarding", "Path": "/var/microsoft/microsoft-defender-for-cloud", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2ql5b", "Volume": "host-root", "Path": "/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2ql5b", "Volume": "docker-sock", "Path": "/var/run", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2ql5b", "Volume": "container-hostname", "Path": "/etc/hostname", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2ql5b", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2ql5b", "Volume": "azure-json-path", "Path": "/etc/kubernetes", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2rsrw", "Volume": "cert-onboarding", "Path": "/var/microsoft/microsoft-defender-for-cloud", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2rsrw", "Volume": "host-root", "Path": "/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2rsrw", "Volume": "docker-sock", "Path": "/var/run", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2rsrw", "Volume": "container-hostname", "Path": "/etc/hostname", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2rsrw", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2rsrw", "Volume": "azure-json-path", "Path": "/etc/kubernetes", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-jj6dh", "Volume": "cert-onboarding", "Path": "/var/microsoft/microsoft-defender-for-cloud", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-jj6dh", "Volume": "host-root", "Path": "/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-jj6dh", "Volume": "docker-sock", "Path": "/var/run", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-jj6dh", "Volume": "container-hostname", "Path": "/etc/hostname", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-jj6dh", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-jj6dh", "Volume": "azure-json-path", "Path": "/etc/kubernetes", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-l5crs", "Volume": "cert-onboarding", "Path": "/var/microsoft/microsoft-defender-for-cloud", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-l5crs", "Volume": "host-root", "Path": "/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-l5crs", "Volume": "docker-sock", "Path": "/var/run", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-l5crs", "Volume": "container-hostname", "Path": "/etc/hostname", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-l5crs", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-l5crs", "Volume": "azure-json-path", "Path": "/etc/kubernetes", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-lfk8h", "Volume": "cert-onboarding", "Path": "/var/microsoft/microsoft-defender-for-cloud", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-lfk8h", "Volume": "host-root", "Path": "/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-lfk8h", "Volume": "docker-sock", "Path": "/var/run", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-lfk8h", "Volume": "container-hostname", "Path": "/etc/hostname", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-lfk8h", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-lfk8h", "Volume": "azure-json-path", "Path": "/etc/kubernetes", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-vz2c6", "Volume": "cert-onboarding", "Path": "/var/microsoft/microsoft-defender-for-cloud", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-vz2c6", "Volume": "host-root", "Path": "/", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-vz2c6", "Volume": "docker-sock", "Path": "/var/run", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-vz2c6", "Volume": "container-hostname", "Path": "/etc/hostname", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-vz2c6", "Volume": "host-log", "Path": "/var/log", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-vz2c6", "Volume": "azure-json-path", "Path": "/etc/kubernetes", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-cgv48", "Volume": "debug", "Path": "/sys/kernel/debug", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-cgv48", "Volume": "trace", "Path": "/sys/kernel/tracing", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-cgv48", "Volume": "bpf", "Path": "/sys/fs/bpf", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-cgv48", "Volume": "cgroup", "Path": "/sys/fs/cgroup", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-cgv48", "Volume": "cilium", "Path": "/var/run/cilium", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-gjxk8", "Volume": "debug", "Path": "/sys/kernel/debug", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-gjxk8", "Volume": "trace", "Path": "/sys/kernel/tracing", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-gjxk8", "Volume": "bpf", "Path": "/sys/fs/bpf", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-gjxk8", "Volume": "cgroup", "Path": "/sys/fs/cgroup", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-gjxk8", "Volume": "cilium", "Path": "/var/run/cilium", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-js76w", "Volume": "debug", "Path": "/sys/kernel/debug", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-js76w", "Volume": "trace", "Path": "/sys/kernel/tracing", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-js76w", "Volume": "bpf", "Path": "/sys/fs/bpf", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-js76w", "Volume": "cgroup", "Path": "/sys/fs/cgroup", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-js76w", "Volume": "cilium", "Path": "/var/run/cilium", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-lfn7d", "Volume": "debug", "Path": "/sys/kernel/debug", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-lfn7d", "Volume": "trace", "Path": "/sys/kernel/tracing", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-lfn7d", "Volume": "bpf", "Path": "/sys/fs/bpf", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-lfn7d", "Volume": "cgroup", "Path": "/sys/fs/cgroup", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-lfn7d", "Volume": "cilium", "Path": "/var/run/cilium", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-qc9bs", "Volume": "debug", "Path": "/sys/kernel/debug", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-qc9bs", "Volume": "trace", "Path": "/sys/kernel/tracing", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-qc9bs", "Volume": "bpf", "Path": "/sys/fs/bpf", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-qc9bs", "Volume": "cgroup", "Path": "/sys/fs/cgroup", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-qc9bs", "Volume": "cilium", "Path": "/var/run/cilium", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-wlt7b", "Volume": "debug", "Path": "/sys/kernel/debug", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-wlt7b", "Volume": "trace", "Path": "/sys/kernel/tracing", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-wlt7b", "Volume": "bpf", "Path": "/sys/fs/bpf", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-wlt7b", "Volume": "cgroup", "Path": "/sys/fs/cgroup", "Issue": "hostPath volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-wlt7b", "Volume": "cilium", "Path": "/var/run/cilium", "Issue": "hostPath volume used" } ] }, "SEC005": { "Total": 0, "URL": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#host-namespaces", "Name": "Pods Using hostIPC", "Description": "Detects pods that use hostIPC, which can compromise pod isolation and allow access to shared memory on the host.", "Recommendation": "Avoid using hostIPC in pods unless absolutely required for specific functionality.", "Weight": 3, "ID": "SEC005", "Message": "No issues detected for Pods Using hostIPC.", "ResourceKind": "Pod", "Section": "Security", "Category": "Pod Security", "Severity": "High", "Items": [] }, "NS001": { "Total": 14, "URL": "https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "Name": "Empty Namespaces", "Description": "Finds namespaces with no running pods.", "Recommendation": "These may be stale or unused and safe to delete after verifying they contain no critical resources.", "Weight": 1, "ID": "NS001", "ResourceKind": "namespaces", "Section": "Namespaces", "Category": "Namespaces", "Severity": "low", "Items": [ { "Namespace": "1", "Status": "📂 Empty" }, { "Namespace": "10", "Status": "📂 Empty" }, { "Namespace": "2", "Status": "📂 Empty" }, { "Namespace": "3", "Status": "📂 Empty" }, { "Namespace": "4", "Status": "📂 Empty" }, { "Namespace": "5", "Status": "📂 Empty" }, { "Namespace": "6", "Status": "📂 Empty" }, { "Namespace": "7", "Status": "📂 Empty" }, { "Namespace": "8", "Status": "📂 Empty" }, { "Namespace": "9", "Status": "📂 Empty" }, { "Namespace": "aks-istio-egress", "Status": "📂 Empty" }, { "Namespace": "default", "Status": "📂 Empty" }, { "Namespace": "kube-node-lease", "Status": "📂 Empty" }, { "Namespace": "kube-public", "Status": "📂 Empty" } ] }, "NS002": { "Total": 32, "URL": "https://kubernetes.io/docs/concepts/policy/resource-quotas/", "Name": "Missing or Weak ResourceQuotas", "Description": "Detects namespaces with missing or incomplete ResourceQuota definitions.", "Recommendation": "Apply CPU, memory, and pod quotas to enforce fair resource usage.", "Weight": 3, "ID": "NS002", "ResourceKind": "resourcequotas", "Section": "Namespaces", "Category": "Namespaces", "Severity": "medium", "Items": [ { "Namespace": "1", "Issue": "❌ No ResourceQuota" }, { "Namespace": "10", "Issue": "❌ No ResourceQuota" }, { "Namespace": "2", "Issue": "❌ No ResourceQuota" }, { "Namespace": "3", "Issue": "❌ No ResourceQuota" }, { "Namespace": "4", "Issue": "❌ No ResourceQuota" }, { "Namespace": "5", "Issue": "❌ No ResourceQuota" }, { "Namespace": "6", "Issue": "❌ No ResourceQuota" }, { "Namespace": "7", "Issue": "❌ No ResourceQuota" }, { "Namespace": "8", "Issue": "❌ No ResourceQuota" }, { "Namespace": "9", "Issue": "❌ No ResourceQuota" }, { "Namespace": "aks-istio-egress", "Issue": "❌ No ResourceQuota" }, { "Namespace": "aks-istio-ingress", "Issue": "❌ No ResourceQuota" }, { "Namespace": "aks-istio-system", "Issue": "❌ No ResourceQuota" }, { "Namespace": "app-routing-system", "Issue": "❌ No ResourceQuota" }, { "Namespace": "argo-rollouts", "Issue": "❌ No ResourceQuota" }, { "Namespace": "argo-workflows", "Issue": "❌ No ResourceQuota" }, { "Namespace": "argocd", "Issue": "❌ No ResourceQuota" }, { "Namespace": "cert-manager", "Issue": "❌ No ResourceQuota" }, { "Namespace": "default", "Issue": "❌ No ResourceQuota" }, { "Namespace": "gatekeeper-system", "Issue": "❌ No ResourceQuota" }, { "Namespace": "grafana", "Issue": "❌ No ResourceQuota" }, { "Namespace": "kiali-operator", "Issue": "❌ No ResourceQuota" }, { "Namespace": "kube-node-lease", "Issue": "❌ No ResourceQuota" }, { "Namespace": "kube-public", "Issue": "❌ No ResourceQuota" }, { "Namespace": "kube-system", "Issue": "❌ No ResourceQuota" }, { "Namespace": "kubeview", "Issue": "❌ No ResourceQuota" }, { "Namespace": "linkerd", "Issue": "❌ No ResourceQuota" }, { "Namespace": "nginx", "Issue": "❌ No ResourceQuota" }, { "Namespace": "pets", "Issue": "❌ No ResourceQuota" }, { "Namespace": "prometheus", "Issue": "❌ No ResourceQuota" }, { "Namespace": "sealed-secrets", "Issue": "❌ No ResourceQuota" }, { "Namespace": "test", "Issue": "❌ No ResourceQuota" } ] }, "AKSIAM003": { "ID": "AKSIAM003", "Severity": "Medium", "URL": "https://learn.microsoft.com/azure/aks/workload-identity-overview", "FailMessage": "", "Name": "Workload Identity Enabled", "Recommendation": "Workload Identity Enabled is enabled.", "Status": "✅ PASS", "Category": "Identity & Access", "Total": 0, "Items": null }, "AKSMON001": { "ID": "AKSMON001", "Severity": "High", "URL": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-overview", "FailMessage": "", "Name": "Azure Monitor", "Recommendation": "Azure Monitor is enabled.", "Status": "✅ PASS", "Category": "Monitoring & Logging", "Total": 0, "Items": null }, "AKSSEC001": { "ID": "AKSSEC001", "Severity": "High", "URL": "https://learn.microsoft.com/azure/aks/private-clusters", "FailMessage": "Cluster API server is publicly accessible, increasing security risks.", "Name": "Private Cluster", "Recommendation": "Configure the cluster as a private cluster to restrict API server access to your virtual network.", "Status": "❌ FAIL", "Category": "Security", "Total": 1, "Items": { "Issue": "Configure the cluster as a private cluster to restrict API server access to your virtual network.", "Resource": "Private Cluster" } }, "POD004": { "Total": 0, "URL": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase", "Name": "Pending Pods", "Description": "Detects pods stuck in a 'Pending' state due to scheduling or resource issues.", "Recommendation": "Inspect scheduling constraints, resource availability, and missing dependencies.", "Weight": 3, "ID": "POD004", "Message": "No issues detected for Pending Pods.", "ResourceKind": "Pod", "Section": "Pods", "Category": "Workloads", "Severity": "Warning", "Items": [] }, "RBAC004": { "Total": 4, "URL": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "Name": "Orphaned and Ineffective Roles", "Description": "Flags Roles and ClusterRoles that are unused, lack subjects, or define no rules.", "Recommendation": "Delete Roles and ClusterRoles that are not bound or do not define any rules.", "Weight": 1, "ID": "RBAC004", "ResourceKind": "Role, ClusterRole", "Section": "Security", "Category": "RBAC", "Severity": "Low", "Items": [ { "Namespace": "cluster-wide", "Resource": "clusterrolebinding/system:node", "Value": "system:node", "Message": "ClusterRoleBinding has no subjects" }, { "Namespace": "cluster-wide", "Resource": "clusterrole/aks-secretproviderclasses-admin-role", "Value": "aks-secretproviderclasses-admin-role", "Message": "Unused ClusterRole" }, { "Namespace": "cluster-wide", "Resource": "clusterrole/aks-secretproviderclasses-viewer-role", "Value": "aks-secretproviderclasses-viewer-role", "Message": "Unused ClusterRole" }, { "Namespace": "cluster-wide", "Resource": "clusterrole/eraser-imagejob-pods-cluster-role", "Value": "eraser-imagejob-pods-cluster-role", "Message": "ClusterRole has no rules" } ] }, "WRK005": { "Total": 94, "URL": "https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", "Name": "Missing Resource Requests or Limits", "Description": "Checks for containers that are missing CPU or memory resource requests or limits.", "Recommendation": "Specify resource requests and limits on all containers.", "Weight": 3, "ID": "WRK005", "ResourceKind": "Pod", "Section": "Workloads", "Category": "Workloads", "Severity": "Warning", "Items": [ { "Namespace": "aks-istio-ingress", "Resource": "Deployment/aks-istio-ingressgateway-external-asm-1-23", "Value": "istio-proxy", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "aks-istio-system", "Resource": "Deployment/istiod-asm-1-23", "Value": "discovery", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "app-routing-system", "Resource": "Deployment/nginx", "Value": "controller", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "argo-rollouts", "Resource": "Deployment/simple-deployment", "Value": "webserver-simple", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "argo-workflows", "Resource": "Deployment/simple-deployment", "Value": "webserver-simple", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "argocd", "Resource": "Deployment/argocd-applicationset-controller", "Value": "argocd-applicationset-controller", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "argocd", "Resource": "Deployment/argocd-dex-server", "Value": "dex", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "argocd", "Resource": "Deployment/argocd-dex-server", "Value": "copyutil", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "argocd", "Resource": "Deployment/argocd-notifications-controller", "Value": "argocd-notifications-controller", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "argocd", "Resource": "Deployment/argocd-redis-ha-haproxy", "Value": "haproxy", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "argocd", "Resource": "Deployment/argocd-redis-ha-haproxy", "Value": "secret-init", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "argocd", "Resource": "Deployment/argocd-redis-ha-haproxy", "Value": "config-init", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "argocd", "Resource": "Deployment/argocd-repo-server", "Value": "argocd-repo-server", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "argocd", "Resource": "Deployment/argocd-repo-server", "Value": "copyutil", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "argocd", "Resource": "Deployment/argocd-server", "Value": "argocd-server", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "cert-manager", "Resource": "Deployment/simple-deployment", "Value": "webserver-simple", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "gatekeeper-system", "Resource": "Deployment/gatekeeper-audit", "Value": "gatekeeper-audit-container", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "gatekeeper-system", "Resource": "Deployment/gatekeeper-controller", "Value": "gatekeeper-controller-container", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "grafana", "Resource": "Deployment/simple-deployment", "Value": "webserver-simple", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kiali-operator", "Resource": "Deployment/kiali", "Value": "kiali", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kiali-operator", "Resource": "Deployment/kiali-operator", "Value": "operator", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/ama-logs-rs", "Value": "ama-logs", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/ama-metrics", "Value": "prometheus-collector", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/ama-metrics", "Value": "addon-token-adapter", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/ama-metrics-ksm", "Value": "ama-metrics-ksm", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/ama-metrics-operator-targets", "Value": "targetallocator", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/ama-metrics-operator-targets", "Value": "config-reader", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/azure-policy", "Value": "azure-policy", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/azure-policy-webhook", "Value": "azure-policy-webhook", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/azure-wi-webhook-controller-manager", "Value": "manager", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/coredns", "Value": "coredns", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/coredns-autoscaler", "Value": "autoscaler", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/eraser-controller-manager", "Value": "manager", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/extension-agent", "Value": "extension-agent", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/extension-agent", "Value": "fluent-bit", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/extension-operator", "Value": "manager", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/extension-operator", "Value": "fluent-bit", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/keda-admission-webhooks", "Value": "keda-admission-webhooks", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/keda-operator", "Value": "keda-operator", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/keda-operator-metrics-apiserver", "Value": "keda-operator-metrics-apiserver", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/konnectivity-agent", "Value": "konnectivity-agent", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/konnectivity-agent-autoscaler", "Value": "autoscaler", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/metrics-server", "Value": "metrics-server-vpa", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/metrics-server", "Value": "metrics-server", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/microsoft-defender-collector-misc", "Value": "microsoft-defender-pod-collector", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/vpa-admission-controller", "Value": "admission-controller", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/vpa-recommender", "Value": "recommender", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "Deployment/vpa-updater", "Value": "updater", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kubeview", "Resource": "Deployment/simple-deployment", "Value": "webserver-simple", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "linkerd", "Resource": "Deployment/simple-deployment", "Value": "webserver-simple", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "nginx", "Resource": "Deployment/simple-deployment", "Value": "webserver-simple", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "pets", "Resource": "Deployment/order-service", "Value": "order-service", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "pets", "Resource": "Deployment/order-service", "Value": "wait-for-rabbitmq", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "pets", "Resource": "Deployment/product-service", "Value": "product-service", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "pets", "Resource": "Deployment/store-front", "Value": "store-front", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "prometheus", "Resource": "Deployment/simple-deployment", "Value": "webserver-simple", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "sealed-secrets", "Resource": "Deployment/simple-deployment", "Value": "webserver-simple", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "test", "Resource": "Deployment/simple-deployment", "Value": "webserver-simple", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "argocd", "Resource": "StatefulSet/argocd-application-controller", "Value": "argocd-application-controller", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "argocd", "Resource": "StatefulSet/argocd-redis-ha-server", "Value": "redis", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "argocd", "Resource": "StatefulSet/argocd-redis-ha-server", "Value": "sentinel", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "argocd", "Resource": "StatefulSet/argocd-redis-ha-server", "Value": "split-brain-fix", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "argocd", "Resource": "StatefulSet/argocd-redis-ha-server", "Value": "config-init", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "pets", "Resource": "StatefulSet/rabbitmq", "Value": "rabbitmq", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/aks-secrets-store-csi-driver", "Value": "node-driver-registrar", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/aks-secrets-store-csi-driver", "Value": "secrets-store", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/aks-secrets-store-csi-driver", "Value": "liveness-probe", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/aks-secrets-store-csi-driver-windows", "Value": "node-driver-registrar", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/aks-secrets-store-csi-driver-windows", "Value": "secrets-store", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/aks-secrets-store-csi-driver-windows", "Value": "liveness-probe", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/aks-secrets-store-provider-azure", "Value": "provider-azure-installer", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/aks-secrets-store-provider-azure-windows", "Value": "provider-azure-installer", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/ama-logs", "Value": "ama-logs", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/ama-logs", "Value": "ama-logs-prometheus", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/ama-logs-windows", "Value": "ama-logs-windows", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/ama-metrics-node", "Value": "prometheus-collector", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/ama-metrics-node", "Value": "addon-token-adapter", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/ama-metrics-win-node", "Value": "prometheus-collector", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/ama-metrics-win-node", "Value": "addon-token-adapter-win", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/azure-ip-masq-agent", "Value": "azure-ip-masq-agent", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/azure-npm", "Value": "azure-npm", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/azure-npm", "Value": "block-wireserver", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/cloud-node-manager", "Value": "cloud-node-manager", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/cloud-node-manager-windows", "Value": "cloud-node-manager", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/kube-proxy", "Value": "kube-proxy", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/kube-proxy", "Value": "kube-proxy-bootstrap", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/microsoft-defender-collector-ds", "Value": "microsoft-defender-pod-collector", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/microsoft-defender-collector-ds", "Value": "microsoft-defender-low-level-collector", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/microsoft-defender-publisher-ds", "Value": "microsoft-defender-publisher", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/microsoft-defender-publisher-ds", "Value": "old-file-cleaner", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/retina-agent", "Value": "retina", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/retina-agent", "Value": "retina-agent-init", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/retina-agent-win", "Value": "retinawin", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" }, { "Namespace": "kube-system", "Resource": "DaemonSet/windows-kube-proxy-initializer", "Value": "pause", "Message": "CPU and Memory Requests and CPU and Memory Limits missing" } ] }, "AKSRES003": { "ID": "AKSRES003", "Severity": "Medium", "URL": "https://learn.microsoft.com/azure/aks/vertical-pod-autoscaler", "FailMessage": "", "Name": "Vertical Pod Autoscaler (VPA) is enabled", "Recommendation": "Vertical Pod Autoscaler (VPA) is enabled is enabled.", "Status": "✅ PASS", "Category": "Resource Management", "Total": 0, "Items": null }, "NODE002": { "Total": 2, "URL": "https://kubernetes.io/docs/tasks/debug/debug-cluster/resource-usage-monitoring/", "Name": "Node Resource Pressure", "Description": "Detects nodes under high CPU, memory, or disk pressure.", "Recommendation": "Investigate and rebalance workloads on nodes with high resource usage.", "Weight": 6, "ID": "NODE002", "ResourceKind": "Node", "Section": "Nodes", "Category": "Nodes", "Severity": "Medium", "Items": [ { "Node": "aks-systempool-19995743-vmss00000m", "CPU Status": "✅ Normal", "CPU %": "8.84%", "CPU Used": "168 mC", "CPU Total": "1900 mC", "Mem Status": "🟡 Warning", "Mem %": "52.23%", "Mem Used": "3412 Mi", "Mem Total": "6533 Mi", "Disk %": "52%", "Disk Status": "✅ Normal" }, { "Node": "aks-systempool-19995743-vmss00000n", "CPU Status": "✅ Normal", "CPU %": "8.68%", "CPU Used": "165 mC", "CPU Total": "1900 mC", "Mem Status": "🟡 Warning", "Mem %": "50.30%", "Mem Used": "3286 Mi", "Mem Total": "6533 Mi", "Disk %": "50%", "Disk Status": "✅ Normal" }, { "Node": "aks-systempool-19995743-vmss00000o", "CPU Status": "✅ Normal", "CPU %": "8.63%", "CPU Used": "164 mC", "CPU Total": "1900 mC", "Mem Status": "✅ Normal", "Mem %": "49.61%", "Mem Used": "3241 Mi", "Mem Total": "6533 Mi", "Disk %": "49%", "Disk Status": "✅ Normal" }, { "Node": "aks-workloadpool-10479701-vmss00000e", "CPU Status": "✅ Normal", "CPU %": "31.01%", "CPU Used": "1197 mC", "CPU Total": "3860 mC", "Mem Status": "✅ Normal", "Mem %": "22.45%", "Mem Used": "3274 Mi", "Mem Total": "14584 Mi", "Disk %": "22%", "Disk Status": "✅ Normal" }, { "Node": "aks-workloadpool-10479701-vmss00000f", "CPU Status": "✅ Normal", "CPU %": "30.34%", "CPU Used": "1171 mC", "CPU Total": "3860 mC", "Mem Status": "✅ Normal", "Mem %": "16.83%", "Mem Used": "2454 Mi", "Mem Total": "14584 Mi", "Disk %": "16%", "Disk Status": "✅ Normal" }, { "Node": "aks-workloadpool-10479701-vmss00000g", "CPU Status": "✅ Normal", "CPU %": "3.52%", "CPU Used": "136 mC", "CPU Total": "3860 mC", "Mem Status": "✅ Normal", "Mem %": "14.12%", "Mem Used": "2059 Mi", "Mem Total": "14584 Mi", "Disk %": "14%", "Disk Status": "✅ Normal" } ] }, "POD003": { "Total": 0, "URL": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase", "Name": "Failed Pods", "Description": "Detects pods in a failed phase, typically due to startup errors, crashes, or misconfiguration.", "Recommendation": "Investigate failed pods for common issues like image errors, resource constraints, or crash loops.", "Weight": 4, "ID": "POD003", "Message": "No issues detected for Failed Pods.", "ResourceKind": "Pod", "Section": "Pods", "Category": "Workloads", "Severity": "Error", "Items": [] }, "AKSNET004": { "ID": "AKSNET004", "Severity": "Medium", "URL": "https://learn.microsoft.com/azure/aks/concepts-network#networking-options", "FailMessage": "", "Name": "Azure CNI Networking Recommended", "Recommendation": "Azure CNI Networking Recommended is enabled.", "Status": "✅ PASS", "Category": "Networking", "Total": 0, "Items": null }, "AKSNET001": { "ID": "AKSNET001", "Severity": "High", "URL": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-security#secure-access-to-the-api-server-and-cluster-nodes", "FailMessage": "", "Name": "Authorized IP Ranges", "Recommendation": "Authorized IP Ranges is enabled.", "Status": "✅ PASS", "Category": "Networking", "Total": 0, "Items": null }, "CFG001": { "Total": 20, "URL": "https://kubernetes.io/docs/concepts/configuration/configmap/", "Name": "Orphaned ConfigMaps", "Description": "Detects ConfigMaps that are not referenced by any pod, workload, service, or ingress.", "Recommendation": "Delete unused ConfigMaps to clean up the cluster and reduce confusion.", "Weight": 1, "ID": "CFG001", "ResourceKind": "ConfigMap", "Section": "Configuration Hygiene", "Category": "Best Practices", "Severity": "Medium", "Items": [ { "Namespace": "aks-istio-system", "Resource": "configmap/istio-asm-1-23", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "aks-istio-system", "Resource": "configmap/istio-gateway-status-leader", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "aks-istio-system", "Resource": "configmap/istio-leader", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "aks-istio-system", "Resource": "configmap/istio-namespace-controller-election", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "aks-istio-system", "Resource": "configmap/istio-sidecar-injector-asm-1-23", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "app-routing-system", "Resource": "configmap/nginx", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "argocd", "Resource": "configmap/argocd-notifications-cm", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "argocd", "Resource": "configmap/argocd-rbac-cm", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "kube-system", "Resource": "configmap/azure-ip-masq-agent-config-reconciled", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "kube-system", "Resource": "configmap/cluster-autoscaler-status", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "kube-system", "Resource": "configmap/container-azm-ms-aks-k8scluster", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "kube-system", "Resource": "configmap/coredns-autoscaler", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "kube-system", "Resource": "configmap/eraser-system-exclusion", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "kube-system", "Resource": "configmap/extension-apiserver-authentication", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "kube-system", "Resource": "configmap/extension-immutable-values", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "kube-system", "Resource": "configmap/extensioncontrollerleaderid-lock", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "kube-system", "Resource": "configmap/konnectivity-agent-autoscaler", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "kube-system", "Resource": "configmap/kube-apiserver-legacy-service-account-token-tracking", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "kube-system", "Resource": "configmap/overlay-upgrade-data", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." }, { "Namespace": "kube-system", "Resource": "configmap/retina-config-win", "Value": "-", "Message": "ConfigMap is not used by any workloads or services." } ] }, "AKSIAM007": { "ID": "AKSIAM007", "Severity": "High", "URL": "https://learn.microsoft.com/azure/aks/manage-local-accounts-managed-azure-ad", "FailMessage": "", "Name": "Local Accounts Disabled", "Recommendation": "Local Accounts Disabled is enabled.", "Status": "✅ PASS", "Category": "Identity & Access", "Total": 0, "Items": null }, "RBAC002": { "Total": 21, "URL": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "Name": "RBAC Overexposure", "Description": "Identifies dangerous RBAC grants such as cluster-admin, wildcard permissions, and sensitive resource access in roles and bindings.", "Recommendation": "Avoid cluster-admin, wildcard, and sensitive resource access in roles. Use least privilege.", "Weight": 5, "ID": "RBAC002", "ResourceKind": "ClusterRoleBinding", "Section": "Security", "Category": "RBAC", "Severity": "Critical", "Items": [ { "Namespace": "🌍 Cluster-Wide", "Resource": "ClusterRoleBinding/aks-cluster-admin-binding", "Value": "User/clusterAdmin", "Message": "cluster-admin binding (built-in)" }, { "Namespace": "🌍 Cluster-Wide", "Resource": "ClusterRoleBinding/aks-cluster-admin-binding", "Value": "User/clusterUser", "Message": "cluster-admin binding (built-in)" }, { "Namespace": "🌍 Cluster-Wide", "Resource": "ClusterRoleBinding/aks-cluster-admin-binding-aad", "Value": "Group/e591c663-c79c-47a4-94b8-f646b8647046", "Message": "cluster-admin binding (built-in)" }, { "Namespace": "🌍 Cluster-Wide", "Resource": "ClusterRoleBinding/aks-secretprovidersyncing-rolebinding", "Value": "ServiceAccount/aks-secrets-store-csi-driver", "Message": "Access to sensitive resources" }, { "Namespace": "🌍 Cluster-Wide", "Resource": "ClusterRoleBinding/aks-service-rolebinding", "Value": "User/aks-support", "Message": "Access to sensitive resources" }, { "Namespace": "🌍 Cluster-Wide", "Resource": "ClusterRoleBinding/argocd-application-controller", "Value": "ServiceAccount/argocd-application-controller", "Message": "Wildcard permission role" }, { "Namespace": "🌍 Cluster-Wide", "Resource": "ClusterRoleBinding/cluster-admin", "Value": "Group/system:masters", "Message": "cluster-admin binding (built-in)" }, { "Namespace": "🌍 Cluster-Wide", "Resource": "ClusterRoleBinding/extension-operator", "Value": "ServiceAccount/extension-operatorsa", "Message": "cluster-admin binding (built-in)" }, { "Namespace": "🌍 Cluster-Wide", "Resource": "ClusterRoleBinding/kiali-operator", "Value": "ServiceAccount/kiali-operator", "Message": "Access to sensitive resources" }, { "Namespace": "🌍 Cluster-Wide", "Resource": "ClusterRoleBinding/system:controller:clusterrole-aggregation-controller", "Value": "ServiceAccount/clusterrole-aggregation-controller", "Message": "Access to sensitive resources (built-in)" }, { "Namespace": "🌍 Cluster-Wide", "Resource": "ClusterRoleBinding/system:controller:legacy-service-account-token-cleaner", "Value": "ServiceAccount/legacy-service-account-token-cleaner", "Message": "Access to sensitive resources (built-in)" }, { "Namespace": "🌍 Cluster-Wide", "Resource": "ClusterRoleBinding/system:kube-controller-manager", "Value": "User/system:kube-controller-manager", "Message": "Access to sensitive resources (built-in)" }, { "Namespace": "🌍 Cluster-Wide", "Resource": "ClusterRoleBinding/system:kube-scheduler", "Value": "User/system:kube-scheduler", "Message": "Access to sensitive resources (built-in)" }, { "Namespace": "🌍 Cluster-Wide", "Resource": "ClusterRoleBinding/system:persistent-volume-binding", "Value": "ServiceAccount/persistent-volume-binder", "Message": "Access to sensitive resources (built-in)" }, { "Namespace": "aks-istio-system", "Resource": "RoleBinding/istiod-asm-1-23", "Value": "ServiceAccount/istiod-asm-1-23", "Message": "Access to sensitive resources" }, { "Namespace": "argocd", "Resource": "RoleBinding/argocd-redis-ha-haproxy", "Value": "ServiceAccount/argocd-redis-ha-haproxy", "Message": "Access to sensitive resources" }, { "Namespace": "argocd", "Resource": "RoleBinding/argocd-server", "Value": "ServiceAccount/argocd-server", "Message": "Access to sensitive resources" }, { "Namespace": "gatekeeper-system", "Resource": "RoleBinding/gatekeeper-manager-rolebinding", "Value": "ServiceAccount/gatekeeper-admin", "Message": "Access to sensitive resources" }, { "Namespace": "kube-system", "Resource": "RoleBinding/azure-policy-webhook-rolebinding", "Value": "ServiceAccount/azure-policy-webhook-account", "Message": "Access to sensitive resources" }, { "Namespace": "kube-system", "Resource": "RoleBinding/keda-operator-certs", "Value": "ServiceAccount/keda-operator", "Message": "Access to sensitive resources" }, { "Namespace": "kube-system", "Resource": "RoleBinding/system:controller:token-cleaner", "Value": "ServiceAccount/token-cleaner", "Message": "Access to sensitive resources" } ] }, "JOB001": { "Total": 0, "URL": "https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy", "Name": "Stuck Kubernetes Jobs", "Description": "Finds Jobs that have started but not completed within a threshold.", "Recommendation": "Jobs that haven't completed may be stuck due to node issues, misconfiguration, or missing pods.", "Weight": 2, "ID": "JOB001", "Message": "No issues detected for Stuck Kubernetes Jobs.", "ResourceKind": "jobs", "Section": "Jobs", "Category": "Jobs", "Severity": "medium", "Items": [] }, "NODE001": { "Total": 0, "URL": "https://kubernetes.io/docs/concepts/architecture/nodes/", "Name": "Node Readiness and Conditions", "Description": "Detects nodes that are not in Ready state or reporting other warning conditions.", "Recommendation": "Investigate NotReady nodes to avoid workload disruption.", "Weight": 8, "ID": "NODE001", "Message": "No issues detected for Node Readiness and Conditions.", "ResourceKind": "Node", "Section": "Nodes", "Category": "Nodes", "Severity": "High", "Items": [ { "Node": "aks-systempool-19995743-vmss00000m", "Status": "✅ Healthy", "Issues": "None" }, { "Node": "aks-systempool-19995743-vmss00000n", "Status": "✅ Healthy", "Issues": "None" }, { "Node": "aks-systempool-19995743-vmss00000o", "Status": "✅ Healthy", "Issues": "None" }, { "Node": "aks-workloadpool-10479701-vmss00000e", "Status": "✅ Healthy", "Issues": "None" }, { "Node": "aks-workloadpool-10479701-vmss00000f", "Status": "✅ Healthy", "Issues": "None" }, { "Node": "aks-workloadpool-10479701-vmss00000g", "Status": "✅ Healthy", "Issues": "None" } ] }, "SEC012": { "Total": 70, "URL": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", "Name": "Added Linux Capabilities", "Description": "Flags containers that add extra Linux capabilities using securityContext.capabilities.add.\n", "Recommendation": "Avoid adding capabilities unless necessary. Most apps don’t need them.", "Weight": 2, "ID": "SEC012", "ResourceKind": "Pod", "Section": "Security", "Category": "Pod Security", "Severity": "Medium", "Items": [ { "Namespace": "app-routing-system", "Pod": "nginx-69fcb489fd-4wgk9", "Container": "controller", "Capabilities": "NET_BIND_SERVICE", "Issue": "Added Linux capabilities" }, { "Namespace": "app-routing-system", "Pod": "nginx-69fcb489fd-64v6k", "Container": "controller", "Capabilities": "NET_BIND_SERVICE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-logs-4v8mz", "Container": "ama-logs", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-logs-4v8mz", "Container": "ama-logs-prometheus", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-logs-5vr2w", "Container": "ama-logs", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-logs-5vr2w", "Container": "ama-logs-prometheus", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-logs-fmd7b", "Container": "ama-logs", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-logs-fmd7b", "Container": "ama-logs-prometheus", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-logs-fpkw6", "Container": "ama-logs", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-logs-fpkw6", "Container": "ama-logs-prometheus", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-logs-gqs28", "Container": "ama-logs", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-logs-gqs28", "Container": "ama-logs-prometheus", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-logs-ndxrw", "Container": "ama-logs", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-logs-ndxrw", "Container": "ama-logs-prometheus", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-logs-rs-64765bd4b9-ldxwl", "Container": "ama-logs", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-hlggb", "Container": "prometheus-collector", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-hlggb", "Container": "addon-token-adapter", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-q2mlg", "Container": "prometheus-collector", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-q2mlg", "Container": "addon-token-adapter", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-2ssrw", "Container": "prometheus-collector", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-2ssrw", "Container": "addon-token-adapter", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-6kkz8", "Container": "prometheus-collector", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-6kkz8", "Container": "addon-token-adapter", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-9h44h", "Container": "prometheus-collector", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-9h44h", "Container": "addon-token-adapter", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-lhk42", "Container": "prometheus-collector", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-lhk42", "Container": "addon-token-adapter", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-nm5bf", "Container": "prometheus-collector", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-nm5bf", "Container": "addon-token-adapter", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-pqcz5", "Container": "prometheus-collector", "Capabilities": "DAC_OVERRIDE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-pqcz5", "Container": "addon-token-adapter", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-4522j", "Container": "azure-ip-masq-agent", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-4c7cr", "Container": "azure-ip-masq-agent", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-78rnw", "Container": "azure-ip-masq-agent", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-84ltn", "Container": "azure-ip-masq-agent", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-t4c2w", "Container": "azure-ip-masq-agent", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-vbdd8", "Container": "azure-ip-masq-agent", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "azure-npm-jsbbh", "Container": "azure-npm", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "azure-npm-lp6sf", "Container": "azure-npm", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "azure-npm-nv6xx", "Container": "azure-npm", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "azure-npm-p6fpw", "Container": "azure-npm", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "azure-npm-vsrfp", "Container": "azure-npm", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "azure-npm-z8mcz", "Container": "azure-npm", "Capabilities": "NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "coredns-658d6d767d-757xp", "Container": "coredns", "Capabilities": "NET_BIND_SERVICE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "coredns-658d6d767d-pt6l6", "Container": "coredns", "Capabilities": "NET_BIND_SERVICE", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Container": "microsoft-defender-pod-collector", "Capabilities": "NET_RAW, NET_ADMIN", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Container": "microsoft-defender-low-level-collector", "Capabilities": "SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Container": "microsoft-defender-pod-collector", "Capabilities": "NET_RAW, NET_ADMIN", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Container": "microsoft-defender-low-level-collector", "Capabilities": "SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Container": "microsoft-defender-pod-collector", "Capabilities": "NET_RAW, NET_ADMIN", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Container": "microsoft-defender-low-level-collector", "Capabilities": "SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Container": "microsoft-defender-pod-collector", "Capabilities": "NET_RAW, NET_ADMIN", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Container": "microsoft-defender-low-level-collector", "Capabilities": "SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Container": "microsoft-defender-pod-collector", "Capabilities": "NET_RAW, NET_ADMIN", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Container": "microsoft-defender-low-level-collector", "Capabilities": "SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Container": "microsoft-defender-pod-collector", "Capabilities": "NET_RAW, NET_ADMIN", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Container": "microsoft-defender-low-level-collector", "Capabilities": "SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-misc-7df6776447-bcbph", "Container": "microsoft-defender-pod-collector", "Capabilities": "NET_RAW, NET_ADMIN", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2ql5b", "Container": "microsoft-defender-publisher", "Capabilities": "NET_RAW, NET_ADMIN", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2rsrw", "Container": "microsoft-defender-publisher", "Capabilities": "NET_RAW, NET_ADMIN", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-jj6dh", "Container": "microsoft-defender-publisher", "Capabilities": "NET_RAW, NET_ADMIN", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-l5crs", "Container": "microsoft-defender-publisher", "Capabilities": "NET_RAW, NET_ADMIN", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-lfk8h", "Container": "microsoft-defender-publisher", "Capabilities": "NET_RAW, NET_ADMIN", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-vz2c6", "Container": "microsoft-defender-publisher", "Capabilities": "NET_RAW, NET_ADMIN", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "retina-agent-cgv48", "Container": "retina", "Capabilities": "SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "retina-agent-gjxk8", "Container": "retina", "Capabilities": "SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "retina-agent-js76w", "Container": "retina", "Capabilities": "SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "retina-agent-lfn7d", "Container": "retina", "Capabilities": "SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "retina-agent-qc9bs", "Container": "retina", "Capabilities": "SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK", "Issue": "Added Linux capabilities" }, { "Namespace": "kube-system", "Pod": "retina-agent-wlt7b", "Container": "retina", "Capabilities": "SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK", "Issue": "Added Linux capabilities" } ] }, "AKSIAM001": { "ID": "AKSIAM001", "Severity": "High", "URL": "https://learn.microsoft.com/azure/aks/manage-azure-rbac?tabs=azure-cli", "FailMessage": "", "Name": "RBAC Enabled", "Recommendation": "RBAC Enabled is enabled.", "Status": "✅ PASS", "Category": "Identity & Access", "Total": 0, "Items": null }, "POD001": { "Total": 0, "URL": "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#application-crashes", "Name": "Pods with High Restarts", "Description": "Detects pods that have restarted more than the defined threshold.", "Recommendation": "Review logs and events for frequently restarting pods and address root causes such as crashes, missing configs, or failing probes.", "Weight": 3, "ID": "POD001", "Message": "No issues detected for Pods with High Restarts.", "ResourceKind": "Pod", "Section": "Pods", "Category": "Workloads", "Severity": "Warning", "Items": [] }, "SEC016": { "Total": 33, "URL": "https://kubernetes.io/docs/concepts/configuration/secret/", "Name": "Non-Existent Secret References", "Description": "Flags pods referencing Secrets that do not exist. This may cause runtime failures.", "Recommendation": "Verify that all Secrets referenced by pods exist in the target namespace.", "Weight": 4, "ID": "SEC016", "ResourceKind": "Pod", "Section": "Security", "Category": "Pod Security", "Severity": "High", "Items": [ { "Namespace": "aks-istio-system", "Pod": "istiod-asm-1-23-7744d5fbf4-9572m", "Volume": "cacerts", "Secret": "cacerts", "Issue": "Missing secret reference in volume" }, { "Namespace": "aks-istio-system", "Pod": "istiod-asm-1-23-7744d5fbf4-9572m", "Volume": "istio-kubeconfig", "Secret": "istio-kubeconfig", "Issue": "Missing secret reference in volume" }, { "Namespace": "aks-istio-system", "Pod": "istiod-asm-1-23-7744d5fbf4-9572m", "Volume": "istio-csr-dns-cert", "Secret": "istiod-tls", "Issue": "Missing secret reference in volume" }, { "Namespace": "aks-istio-system", "Pod": "istiod-asm-1-23-7744d5fbf4-rqzvt", "Volume": "cacerts", "Secret": "cacerts", "Issue": "Missing secret reference in volume" }, { "Namespace": "aks-istio-system", "Pod": "istiod-asm-1-23-7744d5fbf4-rqzvt", "Volume": "istio-kubeconfig", "Secret": "istio-kubeconfig", "Issue": "Missing secret reference in volume" }, { "Namespace": "aks-istio-system", "Pod": "istiod-asm-1-23-7744d5fbf4-rqzvt", "Volume": "istio-csr-dns-cert", "Secret": "istiod-tls", "Issue": "Missing secret reference in volume" }, { "Namespace": "argocd", "Pod": "argocd-application-controller-0", "Volume": "argocd-repo-server-tls", "Secret": "argocd-repo-server-tls", "Issue": "Missing secret reference in volume" }, { "Namespace": "argocd", "Pod": "argocd-applicationset-controller-6fdf84dbb6-msffz", "Volume": "argocd-repo-server-tls", "Secret": "argocd-repo-server-tls", "Issue": "Missing secret reference in volume" }, { "Namespace": "argocd", "Pod": "argocd-dex-server-556c76889-h4kxj", "Volume": "argocd-dex-server-tls", "Secret": "argocd-dex-server-tls", "Issue": "Missing secret reference in volume" }, { "Namespace": "argocd", "Pod": "argocd-notifications-controller-6ff6bf8dd6-nbktr", "Volume": "argocd-repo-server-tls", "Secret": "argocd-repo-server-tls", "Issue": "Missing secret reference in volume" }, { "Namespace": "argocd", "Pod": "argocd-repo-server-8568fc89b5-sx6ks", "Volume": "argocd-repo-server-tls", "Secret": "argocd-repo-server-tls", "Issue": "Missing secret reference in volume" }, { "Namespace": "argocd", "Pod": "argocd-repo-server-8568fc89b5-xrzzn", "Volume": "argocd-repo-server-tls", "Secret": "argocd-repo-server-tls", "Issue": "Missing secret reference in volume" }, { "Namespace": "argocd", "Pod": "argocd-server-54f9645b87-k4rz8", "Volume": "argocd-repo-server-tls", "Secret": "argocd-repo-server-tls", "Issue": "Missing secret reference in volume" }, { "Namespace": "argocd", "Pod": "argocd-server-54f9645b87-k4rz8", "Volume": "argocd-dex-server-tls", "Secret": "argocd-dex-server-tls", "Issue": "Missing secret reference in volume" }, { "Namespace": "argocd", "Pod": "argocd-server-54f9645b87-wwzgz", "Volume": "argocd-repo-server-tls", "Secret": "argocd-repo-server-tls", "Issue": "Missing secret reference in volume" }, { "Namespace": "argocd", "Pod": "argocd-server-54f9645b87-wwzgz", "Volume": "argocd-dex-server-tls", "Secret": "argocd-dex-server-tls", "Issue": "Missing secret reference in volume" }, { "Namespace": "kiali-operator", "Pod": "kiali-5b88cfb6f8-cm8dz", "Volume": "kiali-secret", "Secret": "kiali", "Issue": "Missing secret reference in volume" }, { "Namespace": "kube-system", "Pod": "ama-logs-4v8mz", "Volume": "ama-logs-adx-secret", "Secret": "ama-logs-adx-secret", "Issue": "Missing secret reference in volume" }, { "Namespace": "kube-system", "Pod": "ama-logs-5vr2w", "Volume": "ama-logs-adx-secret", "Secret": "ama-logs-adx-secret", "Issue": "Missing secret reference in volume" }, { "Namespace": "kube-system", "Pod": "ama-logs-fmd7b", "Volume": "ama-logs-adx-secret", "Secret": "ama-logs-adx-secret", "Issue": "Missing secret reference in volume" }, { "Namespace": "kube-system", "Pod": "ama-logs-fpkw6", "Volume": "ama-logs-adx-secret", "Secret": "ama-logs-adx-secret", "Issue": "Missing secret reference in volume" }, { "Namespace": "kube-system", "Pod": "ama-logs-gqs28", "Volume": "ama-logs-adx-secret", "Secret": "ama-logs-adx-secret", "Issue": "Missing secret reference in volume" }, { "Namespace": "kube-system", "Pod": "ama-logs-ndxrw", "Volume": "ama-logs-adx-secret", "Secret": "ama-logs-adx-secret", "Issue": "Missing secret reference in volume" }, { "Namespace": "kube-system", "Pod": "ama-logs-rs-64765bd4b9-ldxwl", "Volume": "ama-logs-adx-secret", "Secret": "ama-logs-adx-secret", "Issue": "Missing secret reference in volume" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-hlggb", "Volume": "ama-metrics-tls-secret-volume", "Secret": "ama-metrics-mtls-secret", "Issue": "Missing secret reference in volume" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-q2mlg", "Volume": "ama-metrics-tls-secret-volume", "Secret": "ama-metrics-mtls-secret", "Issue": "Missing secret reference in volume" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-2ssrw", "Volume": "ama-metrics-tls-secret-volume", "Secret": "ama-metrics-mtls-secret", "Issue": "Missing secret reference in volume" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-6kkz8", "Volume": "ama-metrics-tls-secret-volume", "Secret": "ama-metrics-mtls-secret", "Issue": "Missing secret reference in volume" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-9h44h", "Volume": "ama-metrics-tls-secret-volume", "Secret": "ama-metrics-mtls-secret", "Issue": "Missing secret reference in volume" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-lhk42", "Volume": "ama-metrics-tls-secret-volume", "Secret": "ama-metrics-mtls-secret", "Issue": "Missing secret reference in volume" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-nm5bf", "Volume": "ama-metrics-tls-secret-volume", "Secret": "ama-metrics-mtls-secret", "Issue": "Missing secret reference in volume" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-pqcz5", "Volume": "ama-metrics-tls-secret-volume", "Secret": "ama-metrics-mtls-secret", "Issue": "Missing secret reference in volume" }, { "Namespace": "kube-system", "Pod": "ama-metrics-operator-targets-66fb46c8d6-vskdg", "Volume": "ama-metrics-tls-secret-volume", "Secret": "ama-metrics-mtls-secret", "Issue": "Missing secret reference in volume" } ] }, "AKSIAM006": { "ID": "AKSIAM006", "Severity": "High", "URL": "https://learn.microsoft.com/azure/aks/manage-azure-rbac?tabs=azure-cli", "FailMessage": "", "Name": "AAD Managed Authentication Enabled", "Recommendation": "AAD Managed Authentication Enabled is enabled.", "Status": "✅ PASS", "Category": "Identity & Access", "Total": 0, "Items": null }, "AKSBP001": { "ID": "AKSBP001", "Severity": "High", "URL": "https://learn.microsoft.com/azure/aks/policy-reference", "FailMessage": "The 'Only Allowed Images' policy is either missing or not enforcing deny mode, increasing the risk of running untrusted images.", "Name": "Allowed Container Images Policy Enforcement", "Recommendation": "Deploy and enforce the 'Only Allowed Images' policy with deny mode to restrict unapproved images.", "Status": "❌ FAIL", "Category": "Best Practices", "Total": 1, "Items": { "Issue": "Deploy and enforce the 'Only Allowed Images' policy with deny mode to restrict unapproved images.", "Resource": "Allowed Container Images Policy Enforcement" } }, "SEC006": { "Total": 155, "URL": "https://kubernetes.io/docs/concepts/security/pod-security-standards/", "Name": "Pods Missing Secure Defaults", "Description": "Checks if pods are missing recommended securityContext fields such as runAsNonRoot, readOnlyRootFilesystem, or allowPrivilegeEscalation.\n", "Recommendation": "Set runAsNonRoot=true, readOnlyRootFilesystem=true, and allowPrivilegeEscalation=false for all pods and containers.\n", "Weight": 3, "ID": "SEC006", "ResourceKind": "Pod", "Section": "Security", "Category": "Pod Security", "Severity": "Medium", "Items": [ { "Namespace": "app-routing-system", "Pod": "nginx-69fcb489fd-4wgk9", "Container": "controller", "Flags": "runAsNonRoot: True, readOnlyRootFilesystem: , allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "app-routing-system", "Pod": "nginx-69fcb489fd-64v6k", "Container": "controller", "Flags": "runAsNonRoot: True, readOnlyRootFilesystem: , allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "argo-rollouts", "Pod": "simple-deployment-74fd649f8d-996vt", "Container": "webserver-simple", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "argo-workflows", "Pod": "simple-deployment-74fd649f8d-24t56", "Container": "webserver-simple", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "argocd", "Pod": "argocd-notifications-controller-6ff6bf8dd6-nbktr", "Container": "argocd-notifications-controller", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-haproxy-fb657456c-kjbkq", "Container": "haproxy", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-haproxy-fb657456c-kjlpf", "Container": "haproxy", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-haproxy-fb657456c-tnjmb", "Container": "haproxy", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-0", "Container": "redis", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-0", "Container": "sentinel", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-0", "Container": "split-brain-fix", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-1", "Container": "redis", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-1", "Container": "sentinel", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-1", "Container": "split-brain-fix", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-2", "Container": "redis", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-2", "Container": "sentinel", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-2", "Container": "split-brain-fix", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "cert-manager", "Pod": "simple-deployment-74fd649f8d-7cht8", "Container": "webserver-simple", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "grafana", "Pod": "simple-deployment-74fd649f8d-l7wrd", "Container": "webserver-simple", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-2l2wl", "Container": "node-driver-registrar", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-2l2wl", "Container": "secrets-store", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-2l2wl", "Container": "liveness-probe", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-6w2vp", "Container": "node-driver-registrar", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-6w2vp", "Container": "secrets-store", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-6w2vp", "Container": "liveness-probe", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-7879c", "Container": "node-driver-registrar", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-7879c", "Container": "secrets-store", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-7879c", "Container": "liveness-probe", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-m8m29", "Container": "node-driver-registrar", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-m8m29", "Container": "secrets-store", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-m8m29", "Container": "liveness-probe", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-vnmcd", "Container": "node-driver-registrar", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-vnmcd", "Container": "secrets-store", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-vnmcd", "Container": "liveness-probe", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-zrfbz", "Container": "node-driver-registrar", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-zrfbz", "Container": "secrets-store", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-zrfbz", "Container": "liveness-probe", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-68nhw", "Container": "provider-azure-installer", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-7bqmn", "Container": "provider-azure-installer", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-7r458", "Container": "provider-azure-installer", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-k9tdc", "Container": "provider-azure-installer", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-n952g", "Container": "provider-azure-installer", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-njpqh", "Container": "provider-azure-installer", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-logs-4v8mz", "Container": "ama-logs", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-logs-4v8mz", "Container": "ama-logs-prometheus", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-logs-5vr2w", "Container": "ama-logs", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-logs-5vr2w", "Container": "ama-logs-prometheus", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-logs-fmd7b", "Container": "ama-logs", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-logs-fmd7b", "Container": "ama-logs-prometheus", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-logs-fpkw6", "Container": "ama-logs", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-logs-fpkw6", "Container": "ama-logs-prometheus", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-logs-gqs28", "Container": "ama-logs", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-logs-gqs28", "Container": "ama-logs-prometheus", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-logs-ndxrw", "Container": "ama-logs", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-logs-ndxrw", "Container": "ama-logs-prometheus", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-logs-rs-64765bd4b9-ldxwl", "Container": "ama-logs", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-hlggb", "Container": "prometheus-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-hlggb", "Container": "addon-token-adapter", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-q2mlg", "Container": "prometheus-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-q2mlg", "Container": "addon-token-adapter", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-ksm-5bd68b9c-8l9lp", "Container": "ama-metrics-ksm", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-2ssrw", "Container": "prometheus-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-2ssrw", "Container": "addon-token-adapter", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-6kkz8", "Container": "prometheus-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-6kkz8", "Container": "addon-token-adapter", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-9h44h", "Container": "prometheus-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-9h44h", "Container": "addon-token-adapter", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-lhk42", "Container": "prometheus-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-lhk42", "Container": "addon-token-adapter", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-nm5bf", "Container": "prometheus-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-nm5bf", "Container": "addon-token-adapter", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-pqcz5", "Container": "prometheus-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-pqcz5", "Container": "addon-token-adapter", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-operator-targets-66fb46c8d6-vskdg", "Container": "targetallocator", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "ama-metrics-operator-targets-66fb46c8d6-vskdg", "Container": "config-reader", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-4522j", "Container": "azure-ip-masq-agent", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-4c7cr", "Container": "azure-ip-masq-agent", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-78rnw", "Container": "azure-ip-masq-agent", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-84ltn", "Container": "azure-ip-masq-agent", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-t4c2w", "Container": "azure-ip-masq-agent", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-vbdd8", "Container": "azure-ip-masq-agent", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "azure-npm-jsbbh", "Container": "azure-npm", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "azure-npm-lp6sf", "Container": "azure-npm", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "azure-npm-nv6xx", "Container": "azure-npm", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "azure-npm-p6fpw", "Container": "azure-npm", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "azure-npm-vsrfp", "Container": "azure-npm", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "azure-npm-z8mcz", "Container": "azure-npm", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "azure-policy-698f7c86b4-nnff2", "Container": "azure-policy", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-57rk2", "Container": "cloud-node-manager", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-gl5xl", "Container": "cloud-node-manager", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-l7v5j", "Container": "cloud-node-manager", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-lr49d", "Container": "cloud-node-manager", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-n5qdr", "Container": "cloud-node-manager", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-xwrrd", "Container": "cloud-node-manager", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "coredns-658d6d767d-757xp", "Container": "coredns", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "coredns-658d6d767d-pt6l6", "Container": "coredns", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "coredns-autoscaler-5955d6bbdb-mz9kn", "Container": "autoscaler", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "extension-agent-66c4486d68-46cqq", "Container": "extension-agent", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "kube-system", "Pod": "extension-agent-66c4486d68-46cqq", "Container": "fluent-bit", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "kube-system", "Pod": "extension-operator-d95fd449b-ssrcx", "Container": "manager", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "kube-system", "Pod": "extension-operator-d95fd449b-ssrcx", "Container": "fluent-bit", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "kube-system", "Pod": "keda-admission-webhooks-787f866c7c-4b64k", "Container": "keda-admission-webhooks", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "keda-admission-webhooks-787f866c7c-dw2sg", "Container": "keda-admission-webhooks", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "keda-operator-6b85944bfb-4zpbp", "Container": "keda-operator", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "keda-operator-6b85944bfb-sx9sj", "Container": "keda-operator", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "keda-operator-metrics-apiserver-8468875db7-86c5h", "Container": "keda-operator-metrics-apiserver", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "keda-operator-metrics-apiserver-8468875db7-ngp4h", "Container": "keda-operator-metrics-apiserver", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "konnectivity-agent-9f65c5cd8-fzm5q", "Container": "konnectivity-agent", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "konnectivity-agent-9f65c5cd8-t9qdj", "Container": "konnectivity-agent", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "konnectivity-agent-autoscaler-cdfc7c46-vct7p", "Container": "autoscaler", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "kube-proxy-26xkd", "Container": "kube-proxy", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "kube-proxy-6mrql", "Container": "kube-proxy", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "kube-proxy-9rbxf", "Container": "kube-proxy", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "kube-proxy-njzgk", "Container": "kube-proxy", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "kube-proxy-rvmxl", "Container": "kube-proxy", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "kube-proxy-vp7xj", "Container": "kube-proxy", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Container": "microsoft-defender-pod-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Container": "microsoft-defender-low-level-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Container": "microsoft-defender-pod-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Container": "microsoft-defender-low-level-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Container": "microsoft-defender-pod-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Container": "microsoft-defender-low-level-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Container": "microsoft-defender-pod-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Container": "microsoft-defender-low-level-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Container": "microsoft-defender-pod-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Container": "microsoft-defender-low-level-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Container": "microsoft-defender-pod-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Container": "microsoft-defender-low-level-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-misc-7df6776447-bcbph", "Container": "microsoft-defender-pod-collector", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2ql5b", "Container": "microsoft-defender-publisher", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2rsrw", "Container": "microsoft-defender-publisher", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-jj6dh", "Container": "microsoft-defender-publisher", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-l5crs", "Container": "microsoft-defender-publisher", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-lfk8h", "Container": "microsoft-defender-publisher", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-vz2c6", "Container": "microsoft-defender-publisher", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "retina-agent-cgv48", "Container": "retina", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "retina-agent-gjxk8", "Container": "retina", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "retina-agent-js76w", "Container": "retina", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "retina-agent-lfn7d", "Container": "retina", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "retina-agent-qc9bs", "Container": "retina", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "retina-agent-wlt7b", "Container": "retina", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "vpa-admission-controller-7d9f8d57bd-lrcch", "Container": "admission-controller", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "vpa-admission-controller-7d9f8d57bd-tnqvx", "Container": "admission-controller", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "vpa-recommender-74bfff7f75-sspdc", "Container": "recommender", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kube-system", "Pod": "vpa-updater-5d6d49f8b6-pxkz8", "Container": "updater", "Flags": "runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: ", "Issue": "Missing one or more secure defaults" }, { "Namespace": "kubeview", "Pod": "simple-deployment-74fd649f8d-qxp2r", "Container": "webserver-simple", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "linkerd", "Pod": "simple-deployment-74fd649f8d-mkmst", "Container": "webserver-simple", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "nginx", "Pod": "simple-deployment-74fd649f8d-hlcdk", "Container": "webserver-simple", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "pets", "Pod": "order-service-6c5bfb6946-b58xq", "Container": "order-service", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "pets", "Pod": "product-service-5dd87dfb8-ssfxc", "Container": "product-service", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "pets", "Pod": "rabbitmq-0", "Container": "rabbitmq", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "pets", "Pod": "store-front-658994fd95-pk9qn", "Container": "store-front", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "prometheus", "Pod": "simple-deployment-74fd649f8d-2x6w5", "Container": "webserver-simple", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "sealed-secrets", "Pod": "simple-deployment-74fd649f8d-stktp", "Container": "webserver-simple", "Flags": "Missing securityContext", "Issue": "No securityContext defined" }, { "Namespace": "test", "Pod": "simple-deployment-74fd649f8d-lhlkx", "Container": "webserver-simple", "Flags": "Missing securityContext", "Issue": "No securityContext defined" } ] }, "PVC001": { "Total": 0, "URL": "https://kubernetes.io/docs/concepts/storage/persistent-volumes/", "Name": "Unused Persistent Volume Claims", "Description": "Detects PVCs not attached to any pod.", "Recommendation": "Review and delete unused PVCs to reclaim storage.", "Weight": 2, "ID": "PVC001", "Message": "No issues detected for Unused Persistent Volume Claims.", "ResourceKind": "PersistentVolumeClaim", "Section": "Storage", "Category": "Volumes", "Severity": "Medium", "Items": [] }, "RBAC001": { "Total": 10, "URL": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "Name": "RBAC Misconfigurations", "Description": "Detects invalid roleRefs, missing roles, orphaned service accounts, and incorrect subject namespaces in RoleBindings and ClusterRoleBindings.", "Recommendation": "Fix missing roleRefs, service accounts, and invalid namespaces in RoleBindings and ClusterRoleBindings.", "Weight": 4, "ID": "RBAC001", "ResourceKind": "ClusterRoleBinding", "Section": "Security", "Category": "RBAC", "Severity": "High", "Items": [ { "Namespace": "kube-system", "Resource": "RoleBinding/system::leader-locking-kube-controller-manager", "Value": "ServiceAccount/kube-controller-manager", "Message": "ServiceAccount not found" }, { "Namespace": "kube-system", "Resource": "RoleBinding/system::leader-locking-kube-scheduler", "Value": "ServiceAccount/kube-scheduler", "Message": "ServiceAccount not found" }, { "Namespace": "kube-system", "Resource": "RoleBinding/system:controller:cloud-provider", "Value": "ServiceAccount/cloud-provider", "Message": "ServiceAccount not found" }, { "Namespace": "aks-istio-system", "Resource": "ClusterRoleBinding/istio-reader-clusterrole-asm-1-23-aks-istio-system", "Value": "ServiceAccount/istio-reader-service-account", "Message": "ServiceAccount not found" }, { "Namespace": "kube-system", "Resource": "ClusterRoleBinding/secretproviderrotation-rolebinding", "Value": "ServiceAccount/secrets-store-csi-driver", "Message": "ServiceAccount not found" }, { "Namespace": "kube-system", "Resource": "ClusterRoleBinding/system:azure-cloud-provider", "Value": "ServiceAccount/azure-cloud-provider", "Message": "ServiceAccount not found" }, { "Namespace": "kube-system", "Resource": "ClusterRoleBinding/system:azure-cloud-provider-secret-getter", "Value": "ServiceAccount/azure-cloud-provider", "Message": "ServiceAccount not found" }, { "Namespace": "kube-system", "Resource": "ClusterRoleBinding/system:controller:route-controller", "Value": "ServiceAccount/route-controller", "Message": "ServiceAccount not found" }, { "Namespace": "kube-system", "Resource": "ClusterRoleBinding/system:controller:service-controller", "Value": "ServiceAccount/service-controller", "Message": "ServiceAccount not found" }, { "Namespace": "kube-system", "Resource": "ClusterRoleBinding/system:kube-dns", "Value": "ServiceAccount/kube-dns", "Message": "ServiceAccount not found" } ] }, "POD002": { "Total": 0, "URL": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase", "Name": "Long Running Pods", "Description": "Flags pods that have been running longer than configured thresholds.", "Recommendation": "Review long-running pods and determine if they should be restarted or replaced by updated deployments.", "Weight": 2, "ID": "POD002", "Message": "No issues detected for Long Running Pods.", "ResourceKind": "Pod", "Section": "Pods", "Category": "Workloads", "Severity": "Warning", "Items": [] }, "NET004": { "Total": 16, "URL": "https://kubernetes.io/docs/concepts/services-networking/network-policies/", "Name": "Namespace Missing Network Policy", "Description": "Detects namespaces that have running pods but no associated NetworkPolicy resources. This could allow unrestricted pod-to-pod communication.\n", "Recommendation": "Apply a default deny-all ingress/egress NetworkPolicy in each namespace that hosts workloads, then selectively allow traffic as needed.\n", "Weight": 3, "ID": "NET004", "ResourceKind": "Namespace", "Section": "Networking", "Category": "Security", "Severity": "Medium", "Items": [ { "Namespace": "aks-istio-ingress", "Pods": 2, "Policies": 0, "Issue": "No NetworkPolicy in active namespace" }, { "Namespace": "aks-istio-system", "Pods": 2, "Policies": 0, "Issue": "No NetworkPolicy in active namespace" }, { "Namespace": "app-routing-system", "Pods": 2, "Policies": 0, "Issue": "No NetworkPolicy in active namespace" }, { "Namespace": "argo-rollouts", "Pods": 1, "Policies": 0, "Issue": "No NetworkPolicy in active namespace" }, { "Namespace": "argo-workflows", "Pods": 1, "Policies": 0, "Issue": "No NetworkPolicy in active namespace" }, { "Namespace": "cert-manager", "Pods": 1, "Policies": 0, "Issue": "No NetworkPolicy in active namespace" }, { "Namespace": "gatekeeper-system", "Pods": 3, "Policies": 0, "Issue": "No NetworkPolicy in active namespace" }, { "Namespace": "grafana", "Pods": 1, "Policies": 0, "Issue": "No NetworkPolicy in active namespace" }, { "Namespace": "kiali-operator", "Pods": 2, "Policies": 0, "Issue": "No NetworkPolicy in active namespace" }, { "Namespace": "kubeview", "Pods": 1, "Policies": 0, "Issue": "No NetworkPolicy in active namespace" }, { "Namespace": "linkerd", "Pods": 1, "Policies": 0, "Issue": "No NetworkPolicy in active namespace" }, { "Namespace": "nginx", "Pods": 1, "Policies": 0, "Issue": "No NetworkPolicy in active namespace" }, { "Namespace": "pets", "Pods": 4, "Policies": 0, "Issue": "No NetworkPolicy in active namespace" }, { "Namespace": "prometheus", "Pods": 1, "Policies": 0, "Issue": "No NetworkPolicy in active namespace" }, { "Namespace": "sealed-secrets", "Pods": 1, "Policies": 0, "Issue": "No NetworkPolicy in active namespace" }, { "Namespace": "test", "Pods": 1, "Policies": 0, "Issue": "No NetworkPolicy in active namespace" } ] }, "AKSBP005": { "ID": "AKSBP005", "Severity": "Medium", "URL": "https://learn.microsoft.com/azure/aks/concepts-storage#ephemeral-os-disk", "FailMessage": "", "Name": "Ephemeral OS Disks Enabled", "Recommendation": "Ephemeral OS Disks Enabled is enabled.", "Status": "✅ PASS", "Category": "Best Practices", "Total": 0, "Items": null }, "SEC014": { "Total": 180, "URL": "https://kubernetes.io/docs/concepts/containers/images/", "Name": "Untrusted Image Registries", "Description": "Flags images that are not pulled from approved registries.\n", "Recommendation": "Use only trusted registries. Restrict deployment sources via policy.", "Weight": 3, "ID": "SEC014", "ResourceKind": "Pod", "Section": "Security", "Category": "Pod Security", "Severity": "High", "Items": [ { "Namespace": "aks-istio-ingress", "Pod": "aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4", "Container": "istio-proxy", "Image": "mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless", "Issue": "Image from untrusted registry" }, { "Namespace": "aks-istio-ingress", "Pod": "aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb", "Container": "istio-proxy", "Image": "mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless", "Issue": "Image from untrusted registry" }, { "Namespace": "aks-istio-system", "Pod": "istiod-asm-1-23-7744d5fbf4-9572m", "Container": "discovery", "Image": "mcr.microsoft.com/oss/istio/pilot:1.23.5-distroless", "Issue": "Image from untrusted registry" }, { "Namespace": "aks-istio-system", "Pod": "istiod-asm-1-23-7744d5fbf4-rqzvt", "Container": "discovery", "Image": "mcr.microsoft.com/oss/istio/pilot:1.23.5-distroless", "Issue": "Image from untrusted registry" }, { "Namespace": "app-routing-system", "Pod": "nginx-69fcb489fd-4wgk9", "Container": "controller", "Image": "mcr.microsoft.com/oss/kubernetes/ingress/nginx-ingress-controller:v1.11.5", "Issue": "Image from untrusted registry" }, { "Namespace": "app-routing-system", "Pod": "nginx-69fcb489fd-64v6k", "Container": "controller", "Image": "mcr.microsoft.com/oss/kubernetes/ingress/nginx-ingress-controller:v1.11.5", "Issue": "Image from untrusted registry" }, { "Namespace": "argo-rollouts", "Pod": "simple-deployment-74fd649f8d-996vt", "Container": "webserver-simple", "Image": "docker.io/kostiscodefresh/gitops-simple-app:v1.0", "Issue": "Image from untrusted registry" }, { "Namespace": "argo-workflows", "Pod": "simple-deployment-74fd649f8d-24t56", "Container": "webserver-simple", "Image": "docker.io/kostiscodefresh/gitops-simple-app:v1.0", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-application-controller-0", "Container": "argocd-application-controller", "Image": "mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-applicationset-controller-6fdf84dbb6-msffz", "Container": "argocd-applicationset-controller", "Image": "mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-dex-server-556c76889-h4kxj", "Container": "dex", "Image": "mcr.microsoft.com/oss/v2/dexidp/dex:v2.41.1", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-notifications-controller-6ff6bf8dd6-nbktr", "Container": "argocd-notifications-controller", "Image": "mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-haproxy-fb657456c-kjbkq", "Container": "haproxy", "Image": "mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-haproxy-fb657456c-kjlpf", "Container": "haproxy", "Image": "mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-haproxy-fb657456c-tnjmb", "Container": "haproxy", "Image": "mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-0", "Container": "redis", "Image": "mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-0", "Container": "sentinel", "Image": "mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-0", "Container": "split-brain-fix", "Image": "mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-1", "Container": "redis", "Image": "mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-1", "Container": "sentinel", "Image": "mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-1", "Container": "split-brain-fix", "Image": "mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-2", "Container": "redis", "Image": "mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-2", "Container": "sentinel", "Image": "mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-2", "Container": "split-brain-fix", "Image": "mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-repo-server-8568fc89b5-sx6ks", "Container": "argocd-repo-server", "Image": "mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-repo-server-8568fc89b5-xrzzn", "Container": "argocd-repo-server", "Image": "mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-server-54f9645b87-k4rz8", "Container": "argocd-server", "Image": "mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1", "Issue": "Image from untrusted registry" }, { "Namespace": "argocd", "Pod": "argocd-server-54f9645b87-wwzgz", "Container": "argocd-server", "Image": "mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1", "Issue": "Image from untrusted registry" }, { "Namespace": "cert-manager", "Pod": "simple-deployment-74fd649f8d-7cht8", "Container": "webserver-simple", "Image": "docker.io/kostiscodefresh/gitops-simple-app:v1.0", "Issue": "Image from untrusted registry" }, { "Namespace": "gatekeeper-system", "Pod": "gatekeeper-audit-77858c8f69-7k782", "Container": "gatekeeper-audit-container", "Image": "mcr.microsoft.com/oss/v2/open-policy-agent/gatekeeper:v3.18.2-1", "Issue": "Image from untrusted registry" }, { "Namespace": "gatekeeper-system", "Pod": "gatekeeper-controller-6f97954b4b-7tbnr", "Container": "gatekeeper-controller-container", "Image": "mcr.microsoft.com/oss/v2/open-policy-agent/gatekeeper:v3.18.2-1", "Issue": "Image from untrusted registry" }, { "Namespace": "gatekeeper-system", "Pod": "gatekeeper-controller-6f97954b4b-gwrgg", "Container": "gatekeeper-controller-container", "Image": "mcr.microsoft.com/oss/v2/open-policy-agent/gatekeeper:v3.18.2-1", "Issue": "Image from untrusted registry" }, { "Namespace": "grafana", "Pod": "simple-deployment-74fd649f8d-l7wrd", "Container": "webserver-simple", "Image": "docker.io/kostiscodefresh/gitops-simple-app:v1.0", "Issue": "Image from untrusted registry" }, { "Namespace": "kiali-operator", "Pod": "kiali-5b88cfb6f8-cm8dz", "Container": "kiali", "Image": "quay.io/kiali/kiali:v2.7.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kiali-operator", "Pod": "kiali-operator-696bd54db-mr8md", "Container": "operator", "Image": "quay.io/kiali/kiali-operator:v2.7.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-2l2wl", "Container": "node-driver-registrar", "Image": "mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-2l2wl", "Container": "secrets-store", "Image": "mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver:v1.4.8", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-2l2wl", "Container": "liveness-probe", "Image": "mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.13.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-6w2vp", "Container": "node-driver-registrar", "Image": "mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-6w2vp", "Container": "secrets-store", "Image": "mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver:v1.4.8", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-6w2vp", "Container": "liveness-probe", "Image": "mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.13.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-7879c", "Container": "node-driver-registrar", "Image": "mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-7879c", "Container": "secrets-store", "Image": "mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver:v1.4.8", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-7879c", "Container": "liveness-probe", "Image": "mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.13.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-m8m29", "Container": "node-driver-registrar", "Image": "mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-m8m29", "Container": "secrets-store", "Image": "mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver:v1.4.8", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-m8m29", "Container": "liveness-probe", "Image": "mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.13.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-vnmcd", "Container": "node-driver-registrar", "Image": "mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-vnmcd", "Container": "secrets-store", "Image": "mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver:v1.4.8", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-vnmcd", "Container": "liveness-probe", "Image": "mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.13.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-zrfbz", "Container": "node-driver-registrar", "Image": "mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-zrfbz", "Container": "secrets-store", "Image": "mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver:v1.4.8", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-zrfbz", "Container": "liveness-probe", "Image": "mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.13.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-68nhw", "Container": "provider-azure-installer", "Image": "mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.6.2", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-7bqmn", "Container": "provider-azure-installer", "Image": "mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.6.2", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-7r458", "Container": "provider-azure-installer", "Image": "mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.6.2", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-k9tdc", "Container": "provider-azure-installer", "Image": "mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.6.2", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-n952g", "Container": "provider-azure-installer", "Image": "mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.6.2", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-njpqh", "Container": "provider-azure-installer", "Image": "mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.6.2", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-logs-4v8mz", "Container": "ama-logs", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-logs-4v8mz", "Container": "ama-logs-prometheus", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-logs-5vr2w", "Container": "ama-logs", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-logs-5vr2w", "Container": "ama-logs-prometheus", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-logs-fmd7b", "Container": "ama-logs", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-logs-fmd7b", "Container": "ama-logs-prometheus", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-logs-fpkw6", "Container": "ama-logs", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-logs-fpkw6", "Container": "ama-logs-prometheus", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-logs-gqs28", "Container": "ama-logs", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-logs-gqs28", "Container": "ama-logs-prometheus", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-logs-ndxrw", "Container": "ama-logs", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-logs-ndxrw", "Container": "ama-logs-prometheus", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-logs-rs-64765bd4b9-ldxwl", "Container": "ama-logs", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-hlggb", "Container": "prometheus-collector", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-hlggb", "Container": "addon-token-adapter", "Image": "mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-q2mlg", "Container": "prometheus-collector", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-7f878d975f-q2mlg", "Container": "addon-token-adapter", "Image": "mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-ksm-5bd68b9c-8l9lp", "Container": "ama-metrics-ksm", "Image": "mcr.microsoft.com/oss/kubernetes/kube-state-metrics:v2.12.0", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-2ssrw", "Container": "prometheus-collector", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-2ssrw", "Container": "addon-token-adapter", "Image": "mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-6kkz8", "Container": "prometheus-collector", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-6kkz8", "Container": "addon-token-adapter", "Image": "mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-9h44h", "Container": "prometheus-collector", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-9h44h", "Container": "addon-token-adapter", "Image": "mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-lhk42", "Container": "prometheus-collector", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-lhk42", "Container": "addon-token-adapter", "Image": "mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-nm5bf", "Container": "prometheus-collector", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-nm5bf", "Container": "addon-token-adapter", "Image": "mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-pqcz5", "Container": "prometheus-collector", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-node-pqcz5", "Container": "addon-token-adapter", "Image": "mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-operator-targets-66fb46c8d6-vskdg", "Container": "targetallocator", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c-targetallocator", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "ama-metrics-operator-targets-66fb46c8d6-vskdg", "Container": "config-reader", "Image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c-cfg", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-4522j", "Container": "azure-ip-masq-agent", "Image": "mcr.microsoft.com/oss/v2/azure/ip-masq-agent-v2:v0.1.15-2", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-4c7cr", "Container": "azure-ip-masq-agent", "Image": "mcr.microsoft.com/oss/v2/azure/ip-masq-agent-v2:v0.1.15-2", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-78rnw", "Container": "azure-ip-masq-agent", "Image": "mcr.microsoft.com/oss/v2/azure/ip-masq-agent-v2:v0.1.15-2", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-84ltn", "Container": "azure-ip-masq-agent", "Image": "mcr.microsoft.com/oss/v2/azure/ip-masq-agent-v2:v0.1.15-2", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-t4c2w", "Container": "azure-ip-masq-agent", "Image": "mcr.microsoft.com/oss/v2/azure/ip-masq-agent-v2:v0.1.15-2", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-vbdd8", "Container": "azure-ip-masq-agent", "Image": "mcr.microsoft.com/oss/v2/azure/ip-masq-agent-v2:v0.1.15-2", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "azure-npm-jsbbh", "Container": "azure-npm", "Image": "mcr.microsoft.com/containernetworking/azure-npm:v1.5.45", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "azure-npm-lp6sf", "Container": "azure-npm", "Image": "mcr.microsoft.com/containernetworking/azure-npm:v1.5.45", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "azure-npm-nv6xx", "Container": "azure-npm", "Image": "mcr.microsoft.com/containernetworking/azure-npm:v1.5.45", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "azure-npm-p6fpw", "Container": "azure-npm", "Image": "mcr.microsoft.com/containernetworking/azure-npm:v1.5.45", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "azure-npm-vsrfp", "Container": "azure-npm", "Image": "mcr.microsoft.com/containernetworking/azure-npm:v1.5.45", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "azure-npm-z8mcz", "Container": "azure-npm", "Image": "mcr.microsoft.com/containernetworking/azure-npm:v1.5.45", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "azure-policy-698f7c86b4-nnff2", "Container": "azure-policy", "Image": "mcr.microsoft.com/azure-policy/policy-kubernetes-addon-prod:1.10.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "azure-policy-webhook-764fdf5cd5-6vrc5", "Container": "azure-policy-webhook", "Image": "mcr.microsoft.com/azure-policy/policy-kubernetes-webhook:1.10.0", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "azure-wi-webhook-controller-manager-7f95f666d4-7r44b", "Container": "manager", "Image": "mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.4.0", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "azure-wi-webhook-controller-manager-7f95f666d4-xfh2p", "Container": "manager", "Image": "mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.4.0", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-57rk2", "Container": "cloud-node-manager", "Image": "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.10", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-gl5xl", "Container": "cloud-node-manager", "Image": "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.10", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-l7v5j", "Container": "cloud-node-manager", "Image": "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.10", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-lr49d", "Container": "cloud-node-manager", "Image": "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.10", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-n5qdr", "Container": "cloud-node-manager", "Image": "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.10", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "cloud-node-manager-xwrrd", "Container": "cloud-node-manager", "Image": "mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.10", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "coredns-658d6d767d-757xp", "Container": "coredns", "Image": "mcr.microsoft.com/oss/v2/kubernetes/coredns:v1.9.4-5", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "coredns-658d6d767d-pt6l6", "Container": "coredns", "Image": "mcr.microsoft.com/oss/v2/kubernetes/coredns:v1.9.4-5", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "coredns-autoscaler-5955d6bbdb-mz9kn", "Container": "autoscaler", "Image": "mcr.microsoft.com/oss/v2/kubernetes/autoscaler/cluster-proportional-autoscaler:v1.8.11-5", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "eraser-controller-manager-864f9476c8-lhdfc", "Container": "manager", "Image": "mcr.microsoft.com/oss/v2/eraser/eraser-manager:v1.4.0-2", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "extension-agent-66c4486d68-46cqq", "Container": "extension-agent", "Image": "mcr.microsoft.com/azurearck8s/aks/stable/config-agent:1.23.3", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "extension-agent-66c4486d68-46cqq", "Container": "fluent-bit", "Image": "mcr.microsoft.com/azurearck8s/aks/stable/fluent-bit-collector:1.23.3", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "extension-operator-d95fd449b-ssrcx", "Container": "manager", "Image": "mcr.microsoft.com/azurearck8s/aks/stable/extensionoperator:1.23.3", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "extension-operator-d95fd449b-ssrcx", "Container": "fluent-bit", "Image": "mcr.microsoft.com/azurearck8s/aks/stable/fluent-bit-collector:1.23.3", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "keda-admission-webhooks-787f866c7c-4b64k", "Container": "keda-admission-webhooks", "Image": "mcr.microsoft.com/oss/kedacore/keda-admission-webhooks:2.14.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "keda-admission-webhooks-787f866c7c-dw2sg", "Container": "keda-admission-webhooks", "Image": "mcr.microsoft.com/oss/kedacore/keda-admission-webhooks:2.14.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "keda-operator-6b85944bfb-4zpbp", "Container": "keda-operator", "Image": "mcr.microsoft.com/oss/kedacore/keda:2.14.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "keda-operator-6b85944bfb-sx9sj", "Container": "keda-operator", "Image": "mcr.microsoft.com/oss/kedacore/keda:2.14.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "keda-operator-metrics-apiserver-8468875db7-86c5h", "Container": "keda-operator-metrics-apiserver", "Image": "mcr.microsoft.com/oss/kedacore/keda-metrics-apiserver:2.14.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "keda-operator-metrics-apiserver-8468875db7-ngp4h", "Container": "keda-operator-metrics-apiserver", "Image": "mcr.microsoft.com/oss/kedacore/keda-metrics-apiserver:2.14.1", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "konnectivity-agent-9f65c5cd8-fzm5q", "Container": "konnectivity-agent", "Image": "mcr.microsoft.com/oss/kubernetes/apiserver-network-proxy/agent:v0.30.3-hotfix.20240819", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "konnectivity-agent-9f65c5cd8-t9qdj", "Container": "konnectivity-agent", "Image": "mcr.microsoft.com/oss/kubernetes/apiserver-network-proxy/agent:v0.30.3-hotfix.20240819", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "konnectivity-agent-autoscaler-cdfc7c46-vct7p", "Container": "autoscaler", "Image": "mcr.microsoft.com/oss/v2/kubernetes/autoscaler/cluster-proportional-autoscaler:v1.8.11-5", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "kube-proxy-26xkd", "Container": "kube-proxy", "Image": "mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.30.11", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "kube-proxy-6mrql", "Container": "kube-proxy", "Image": "mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.30.11", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "kube-proxy-9rbxf", "Container": "kube-proxy", "Image": "mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.30.11", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "kube-proxy-njzgk", "Container": "kube-proxy", "Image": "mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.30.11", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "kube-proxy-rvmxl", "Container": "kube-proxy", "Image": "mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.30.11", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "kube-proxy-vp7xj", "Container": "kube-proxy", "Image": "mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.30.11", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "metrics-server-5f9ccffcc4-jsrjl", "Container": "metrics-server-vpa", "Image": "mcr.microsoft.com/oss/v2/kubernetes/autoscaler/addon-resizer:v1.8.23-2", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "metrics-server-5f9ccffcc4-jsrjl", "Container": "metrics-server", "Image": "mcr.microsoft.com/oss/v2/kubernetes/metrics-server:v0.6.3-5", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "metrics-server-5f9ccffcc4-v88pw", "Container": "metrics-server-vpa", "Image": "mcr.microsoft.com/oss/v2/kubernetes/autoscaler/addon-resizer:v1.8.23-2", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "metrics-server-5f9ccffcc4-v88pw", "Container": "metrics-server", "Image": "mcr.microsoft.com/oss/v2/kubernetes/metrics-server:v0.6.3-5", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Container": "microsoft-defender-pod-collector", "Image": "mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Container": "microsoft-defender-low-level-collector", "Image": "mcr.microsoft.com/azuredefender/stable/low-level-collector:2.0.198", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Container": "microsoft-defender-pod-collector", "Image": "mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Container": "microsoft-defender-low-level-collector", "Image": "mcr.microsoft.com/azuredefender/stable/low-level-collector:2.0.198", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Container": "microsoft-defender-pod-collector", "Image": "mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Container": "microsoft-defender-low-level-collector", "Image": "mcr.microsoft.com/azuredefender/stable/low-level-collector:2.0.198", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Container": "microsoft-defender-pod-collector", "Image": "mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Container": "microsoft-defender-low-level-collector", "Image": "mcr.microsoft.com/azuredefender/stable/low-level-collector:2.0.198", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Container": "microsoft-defender-pod-collector", "Image": "mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Container": "microsoft-defender-low-level-collector", "Image": "mcr.microsoft.com/azuredefender/stable/low-level-collector:2.0.198", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Container": "microsoft-defender-pod-collector", "Image": "mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Container": "microsoft-defender-low-level-collector", "Image": "mcr.microsoft.com/azuredefender/stable/low-level-collector:2.0.198", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-misc-7df6776447-bcbph", "Container": "microsoft-defender-pod-collector", "Image": "mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2ql5b", "Container": "microsoft-defender-publisher", "Image": "mcr.microsoft.com/azuredefender/stable/security-publisher:1.0.204", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2rsrw", "Container": "microsoft-defender-publisher", "Image": "mcr.microsoft.com/azuredefender/stable/security-publisher:1.0.204", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-jj6dh", "Container": "microsoft-defender-publisher", "Image": "mcr.microsoft.com/azuredefender/stable/security-publisher:1.0.204", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-l5crs", "Container": "microsoft-defender-publisher", "Image": "mcr.microsoft.com/azuredefender/stable/security-publisher:1.0.204", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-lfk8h", "Container": "microsoft-defender-publisher", "Image": "mcr.microsoft.com/azuredefender/stable/security-publisher:1.0.204", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-vz2c6", "Container": "microsoft-defender-publisher", "Image": "mcr.microsoft.com/azuredefender/stable/security-publisher:1.0.204", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "retina-agent-cgv48", "Container": "retina", "Image": "mcr.microsoft.com/containernetworking/retina-agent:v0.0.30", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "retina-agent-gjxk8", "Container": "retina", "Image": "mcr.microsoft.com/containernetworking/retina-agent:v0.0.30", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "retina-agent-js76w", "Container": "retina", "Image": "mcr.microsoft.com/containernetworking/retina-agent:v0.0.30", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "retina-agent-lfn7d", "Container": "retina", "Image": "mcr.microsoft.com/containernetworking/retina-agent:v0.0.30", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "retina-agent-qc9bs", "Container": "retina", "Image": "mcr.microsoft.com/containernetworking/retina-agent:v0.0.30", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "retina-agent-wlt7b", "Container": "retina", "Image": "mcr.microsoft.com/containernetworking/retina-agent:v0.0.30", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "vpa-admission-controller-7d9f8d57bd-lrcch", "Container": "admission-controller", "Image": "mcr.microsoft.com/oss/kubernetes/autoscaler/vpa-admission-controller:1.0.0", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "vpa-admission-controller-7d9f8d57bd-tnqvx", "Container": "admission-controller", "Image": "mcr.microsoft.com/oss/kubernetes/autoscaler/vpa-admission-controller:1.0.0", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "vpa-recommender-74bfff7f75-sspdc", "Container": "recommender", "Image": "mcr.microsoft.com/oss/kubernetes/autoscaler/vpa-recommender:1.0.0", "Issue": "Image from untrusted registry" }, { "Namespace": "kube-system", "Pod": "vpa-updater-5d6d49f8b6-pxkz8", "Container": "updater", "Image": "mcr.microsoft.com/oss/kubernetes/autoscaler/vpa-updater:1.0.0", "Issue": "Image from untrusted registry" }, { "Namespace": "kubeview", "Pod": "simple-deployment-74fd649f8d-qxp2r", "Container": "webserver-simple", "Image": "docker.io/kostiscodefresh/gitops-simple-app:v1.0", "Issue": "Image from untrusted registry" }, { "Namespace": "linkerd", "Pod": "simple-deployment-74fd649f8d-mkmst", "Container": "webserver-simple", "Image": "docker.io/kostiscodefresh/gitops-simple-app:v1.0", "Issue": "Image from untrusted registry" }, { "Namespace": "nginx", "Pod": "simple-deployment-74fd649f8d-hlcdk", "Container": "webserver-simple", "Image": "docker.io/kostiscodefresh/gitops-simple-app:v1.0", "Issue": "Image from untrusted registry" }, { "Namespace": "pets", "Pod": "order-service-6c5bfb6946-b58xq", "Container": "istio-proxy", "Image": "mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless", "Issue": "Image from untrusted registry" }, { "Namespace": "pets", "Pod": "product-service-5dd87dfb8-ssfxc", "Container": "istio-proxy", "Image": "mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless", "Issue": "Image from untrusted registry" }, { "Namespace": "pets", "Pod": "rabbitmq-0", "Container": "rabbitmq", "Image": "mcr.microsoft.com/mirror/docker/library/rabbitmq:3.10-management-alpine", "Issue": "Image from untrusted registry" }, { "Namespace": "pets", "Pod": "rabbitmq-0", "Container": "istio-proxy", "Image": "mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless", "Issue": "Image from untrusted registry" }, { "Namespace": "pets", "Pod": "store-front-658994fd95-pk9qn", "Container": "istio-proxy", "Image": "mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless", "Issue": "Image from untrusted registry" }, { "Namespace": "prometheus", "Pod": "simple-deployment-74fd649f8d-2x6w5", "Container": "webserver-simple", "Image": "docker.io/kostiscodefresh/gitops-simple-app:v1.0", "Issue": "Image from untrusted registry" }, { "Namespace": "sealed-secrets", "Pod": "simple-deployment-74fd649f8d-stktp", "Container": "webserver-simple", "Image": "docker.io/kostiscodefresh/gitops-simple-app:v1.0", "Issue": "Image from untrusted registry" }, { "Namespace": "test", "Pod": "simple-deployment-74fd649f8d-lhlkx", "Container": "webserver-simple", "Image": "docker.io/kostiscodefresh/gitops-simple-app:v1.0", "Issue": "Image from untrusted registry" } ] }, "AKSDR001": { "ID": "AKSDR001", "Severity": "High", "URL": "https://learn.microsoft.com/azure/aks/availability-zones", "FailMessage": "", "Name": "Agent Pools with Availability Zones", "Recommendation": "Agent Pools with Availability Zones is enabled.", "Status": "✅ PASS", "Category": "Disaster Recovery", "Total": 0, "Items": null }, "POD006": { "Total": 0, "URL": "https://kubernetes.io/docs/tasks/debug/debug-cluster/debug-running-pod/", "Name": "Leftover Debug Pods", "Description": "Detects pods created by 'kubectl debug' that haven't been cleaned up.", "Recommendation": "Delete any leftover debug pods and review your debugging practices.", "Weight": 2, "ID": "POD006", "Message": "No issues detected for Leftover Debug Pods.", "ResourceKind": "Pod", "Section": "Pods", "Category": "Workloads", "Severity": "Warning", "Items": [] }, "AKSBP002": { "ID": "AKSBP002", "Severity": "High", "URL": "https://learn.microsoft.com/azure/aks/policy-reference", "FailMessage": "The 'No Privileged Containers' policy is either missing or not enforcing deny mode, allowing potentially insecure workloads.", "Name": "No Privileged Containers Policy Enforcement", "Recommendation": "Deploy and enforce the 'No Privileged Containers' policy in deny mode to block privileged containers and enhance security.", "Status": "❌ FAIL", "Category": "Best Practices", "Total": 1, "Items": { "Issue": "Deploy and enforce the 'No Privileged Containers' policy in deny mode to block privileged containers and enhance security.", "Resource": "No Privileged Containers Policy Enforcement" } }, "AKSIAM005": { "ID": "AKSIAM005", "Severity": "High", "URL": "https://learn.microsoft.com/azure/aks/enable-authentication-microsoft-entra-id", "FailMessage": "", "Name": "AAD RBAC Authorization Integrated", "Recommendation": "AAD RBAC Authorization Integrated is enabled.", "Status": "✅ PASS", "Category": "Identity & Access", "Total": 0, "Items": null }, "AKSSEC003": { "ID": "AKSSEC003", "Severity": "High", "URL": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction", "FailMessage": "", "Name": "Defender for Containers", "Recommendation": "Defender for Containers is enabled.", "Status": "✅ PASS", "Category": "Security", "Total": 0, "Items": null }, "AKSBP003": { "ID": "AKSBP003", "Severity": "Medium", "URL": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools", "FailMessage": "", "Name": "Multiple Node Pools", "Recommendation": "Multiple Node Pools is enabled.", "Status": "✅ PASS", "Category": "Best Practices", "Total": 0, "Items": null }, "POD007": { "Total": 3, "URL": "https://kubernetes.io/docs/concepts/containers/images/#image-tags", "Name": "Container images do not use latest tag", "Description": "Flags containers using the 'latest' tag in their image, which can cause unpredictable upgrades.", "Recommendation": "Specify an explicit image tag (e.g., ':v1.2.3') to ensure consistent deployments.", "Weight": 3, "ID": "POD007", "ResourceKind": "Pod", "Section": "Pods", "Category": "Resource Management", "Severity": "High", "Items": [ { "Namespace": "pets", "Resource": "pod/order-service-6c5bfb6946-b58xq", "Value": "ghcr.io/azure-samples/aks-store-demo/order-service:latest, mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless", "Message": "Container image uses the 'latest' tag, which can lead to unpredictable deployments." }, { "Namespace": "pets", "Resource": "pod/product-service-5dd87dfb8-ssfxc", "Value": "ghcr.io/azure-samples/aks-store-demo/product-service:latest, mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless", "Message": "Container image uses the 'latest' tag, which can lead to unpredictable deployments." }, { "Namespace": "pets", "Resource": "pod/store-front-658994fd95-pk9qn", "Value": "ghcr.io/azure-samples/aks-store-demo/store-front:latest, mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless", "Message": "Container image uses the 'latest' tag, which can lead to unpredictable deployments." } ] }, "AKSBP011": { "ID": "AKSBP011", "Severity": "High", "URL": "https://learn.microsoft.com/azure/aks/use-system-pools?tabs=azure-cli#recommendations", "FailMessage": "", "Name": "System Node Pool Minimum Size", "Recommendation": "System Node Pool Minimum Size is enabled.", "Status": "✅ PASS", "Category": "Best Practices", "Total": 0, "Items": null }, "WRK003": { "Total": 0, "URL": "https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/", "Name": "StatefulSet Incomplete Rollout", "Description": "Detects StatefulSets where the number of ready replicas is less than the desired count.", "Recommendation": "Investigate StatefulSets with missing ready replicas. This may indicate issues with pod readiness or volume binding.", "Weight": 3, "ID": "WRK003", "Message": "No issues detected for StatefulSet Incomplete Rollout.", "ResourceKind": "StatefulSet", "Section": "Workloads", "Category": "Workloads", "Severity": "Warning", "Items": [] }, "AKSSEC005": { "ID": "AKSSEC005", "Severity": "High", "URL": "https://learn.microsoft.com/azure/aks/csi-secrets-store-driver", "FailMessage": "", "Name": "Azure Key Vault Integration", "Recommendation": "Azure Key Vault Integration is enabled.", "Status": "✅ PASS", "Category": "Security", "Total": 0, "Items": null }, "WRK004": { "Total": 0, "URL": "https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/", "Name": "HPA Misconfiguration or Inactivity", "Description": "Checks for HPAs that have missing targets, no metrics, or inactive scaling.", "Recommendation": "Review HorizontalPodAutoscalers with missing targets, no metrics, or disabled scaling.", "Weight": 1, "ID": "WRK004", "Message": "No issues detected for HPA Misconfiguration or Inactivity.", "ResourceKind": "HorizontalPodAutoscaler", "Section": "Workloads", "Category": "Workloads", "Severity": "Warning", "Items": [] }, "AKSBP004": { "ID": "AKSBP004", "Severity": "High", "URL": "https://learn.microsoft.com/azure/aks/use-azure-linux", "FailMessage": "", "Name": "Azure Linux as Host OS", "Recommendation": "Azure Linux as Host OS is enabled.", "Status": "✅ PASS", "Category": "Best Practices", "Total": 0, "Items": null }, "AKSNET003": { "ID": "AKSNET003", "Severity": "Low", "URL": "https://learn.microsoft.com/azure/aks/web-app-routing", "FailMessage": "", "Name": "Web App Routing Enabled", "Recommendation": "Web App Routing Enabled is enabled.", "Status": "✅ PASS", "Category": "Networking", "Total": 0, "Items": null }, "WRK006": { "Total": 25, "URL": "https://kubernetes.io/docs/tasks/run-application/configure-pdb/", "Name": "PDB Coverage and Effectiveness", "Description": "Detects missing or weak PDBs for workloads", "Recommendation": "Workloads should have a valid PDB to prevent availability issues during disruptions.", "Weight": 2, "ID": "WRK006", "ResourceKind": "PodDisruptionBudget", "Section": "Workloads", "Category": "PDBs", "Severity": "High", "Items": [ { "Namespace": "app-routing-system", "Name": "nginx", "Kind": "PDB", "Issue": "⚠️ maxUnavailable = 100%" }, { "Namespace": "argo-rollouts", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "argo-workflows", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "argocd", "Name": "argocd-applicationset-controller", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "argocd", "Name": "argocd-dex-server", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "argocd", "Name": "argocd-notifications-controller", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "argocd", "Name": "argocd-redis-ha-haproxy", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "argocd", "Name": "argocd-repo-server", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "argocd", "Name": "argocd-server", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "cert-manager", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "grafana", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "kiali-operator", "Name": "kiali", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "kiali-operator", "Name": "kiali-operator", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "kubeview", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "linkerd", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "nginx", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "pets", "Name": "order-service", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "pets", "Name": "product-service", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "pets", "Name": "store-front", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "prometheus", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "sealed-secrets", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "test", "Name": "simple-deployment", "Kind": "Deployment", "Issue": "❌ No matching PDB" }, { "Namespace": "argocd", "Name": "argocd-application-controller", "Kind": "StatefulSet", "Issue": "❌ No matching PDB" }, { "Namespace": "argocd", "Name": "argocd-redis-ha-server", "Kind": "StatefulSet", "Issue": "❌ No matching PDB" }, { "Namespace": "pets", "Name": "rabbitmq", "Kind": "StatefulSet", "Issue": "❌ No matching PDB" } ] }, "SEC007": { "Total": 32, "URL": "https://kubernetes.io/docs/concepts/security/pod-security-admission/", "Name": "Missing Pod Security Admission Labels", "Description": "Checks if namespaces are missing the 'pod-security.kubernetes.io/enforce' label required for Pod Security Admission enforcement.\n", "Recommendation": "Add 'pod-security.kubernetes.io/enforce' labels to your namespaces to enforce Pod Security standards. Use values like 'baseline' or 'restricted'.\n", "Weight": 1, "ID": "SEC007", "ResourceKind": "Namespace", "Section": "Security", "Category": "Pod Security", "Severity": "Low", "Items": [ { "Namespace": "1", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "10", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "2", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "3", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "4", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "5", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "6", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "7", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "8", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "9", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "aks-istio-egress", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "aks-istio-ingress", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "aks-istio-system", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "app-routing-system", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "argo-rollouts", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "argo-workflows", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "argocd", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "cert-manager", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "default", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "gatekeeper-system", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "grafana", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "kiali-operator", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "kube-node-lease", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "kube-public", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "kube-system", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "kubeview", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "linkerd", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "nginx", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "pets", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "prometheus", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "sealed-secrets", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" }, { "Namespace": "test", "Warn": "N/A", "Audit": "N/A", "Issue": "No pod security labels" } ] }, "AKSRES002": { "ID": "AKSRES002", "Severity": "Medium", "URL": "https://learn.microsoft.com/azure/aks/cost-analysis", "FailMessage": "AKS built-in cost tooling (Open Costs) is not enabled, making cost allocation and optimization harder.", "Name": "AKS Built-in Cost Tooling Enabled", "Recommendation": "Enable cost analysis in the AKS metrics profile to gain insights into resource spending and optimize cost management.", "Status": "❌ FAIL", "Category": "Resource Management", "Total": 1, "Items": { "Issue": "Enable cost analysis in the AKS metrics profile to gain insights into resource spending and optimize cost management.", "Resource": "AKS Built-in Cost Tooling Enabled" } }, "SEC011": { "Total": 13, "URL": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/", "Name": "Containers Running as UID 0", "Description": "Detects containers explicitly set to run as user 0 (root).\n", "Recommendation": "Avoid setting runAsUser to 0. Use non-root UIDs for better isolation.", "Weight": 3, "ID": "SEC011", "ResourceKind": "Pod", "Section": "Security", "Category": "Pod Security", "Severity": "High", "Items": [ { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-68nhw", "Container": "provider-azure-installer", "UID": 0, "Issue": "Container runs as UID 0" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-7bqmn", "Container": "provider-azure-installer", "UID": 0, "Issue": "Container runs as UID 0" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-7r458", "Container": "provider-azure-installer", "UID": 0, "Issue": "Container runs as UID 0" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-k9tdc", "Container": "provider-azure-installer", "UID": 0, "Issue": "Container runs as UID 0" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-n952g", "Container": "provider-azure-installer", "UID": 0, "Issue": "Container runs as UID 0" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-provider-azure-njpqh", "Container": "provider-azure-installer", "UID": 0, "Issue": "Container runs as UID 0" }, { "Namespace": "kube-system", "Pod": "azure-policy-698f7c86b4-nnff2", "Container": "azure-policy", "UID": 0, "Issue": "Container runs as UID 0" }, { "Namespace": "kube-system", "Pod": "retina-agent-cgv48", "Container": "retina", "UID": 0, "Issue": "Container runs as UID 0" }, { "Namespace": "kube-system", "Pod": "retina-agent-gjxk8", "Container": "retina", "UID": 0, "Issue": "Container runs as UID 0" }, { "Namespace": "kube-system", "Pod": "retina-agent-js76w", "Container": "retina", "UID": 0, "Issue": "Container runs as UID 0" }, { "Namespace": "kube-system", "Pod": "retina-agent-lfn7d", "Container": "retina", "UID": 0, "Issue": "Container runs as UID 0" }, { "Namespace": "kube-system", "Pod": "retina-agent-qc9bs", "Container": "retina", "UID": 0, "Issue": "Container runs as UID 0" }, { "Namespace": "kube-system", "Pod": "retina-agent-wlt7b", "Container": "retina", "UID": 0, "Issue": "Container runs as UID 0" } ] }, "AKSSEC007": { "ID": "AKSSEC007", "Severity": "High", "URL": "https://learn.microsoft.com/azure/aks/kubernetes-dashboard", "FailMessage": "", "Name": "Kubernetes Dashboard Disabled", "Recommendation": "Kubernetes Dashboard Disabled is enabled.", "Status": "✅ PASS", "Category": "Security", "Total": 0, "Items": null }, "SEC009": { "Total": 42, "URL": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", "Name": "Missing Capabilities Drop", "Description": "Checks containers that don't drop all Linux capabilities via securityContext.capabilities.drop = ['ALL'].\n", "Recommendation": "Explicitly drop all Linux capabilities unless specific ones are needed.", "Weight": 3, "ID": "SEC009", "ResourceKind": "Pod", "Section": "Security", "Category": "Pod Security", "Severity": "Medium", "Items": [ { "Namespace": "argo-rollouts", "Pod": "simple-deployment-74fd649f8d-996vt", "Container": "webserver-simple", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "argo-workflows", "Pod": "simple-deployment-74fd649f8d-24t56", "Container": "webserver-simple", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "cert-manager", "Pod": "simple-deployment-74fd649f8d-7cht8", "Container": "webserver-simple", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "grafana", "Pod": "simple-deployment-74fd649f8d-l7wrd", "Container": "webserver-simple", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-2l2wl", "Container": "node-driver-registrar", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-2l2wl", "Container": "secrets-store", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-2l2wl", "Container": "liveness-probe", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-6w2vp", "Container": "node-driver-registrar", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-6w2vp", "Container": "secrets-store", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-6w2vp", "Container": "liveness-probe", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-7879c", "Container": "node-driver-registrar", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-7879c", "Container": "secrets-store", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-7879c", "Container": "liveness-probe", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-m8m29", "Container": "node-driver-registrar", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-m8m29", "Container": "secrets-store", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-m8m29", "Container": "liveness-probe", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-vnmcd", "Container": "node-driver-registrar", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-vnmcd", "Container": "secrets-store", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-vnmcd", "Container": "liveness-probe", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-zrfbz", "Container": "node-driver-registrar", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-zrfbz", "Container": "secrets-store", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "aks-secrets-store-csi-driver-zrfbz", "Container": "liveness-probe", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "extension-agent-66c4486d68-46cqq", "Container": "extension-agent", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "extension-agent-66c4486d68-46cqq", "Container": "fluent-bit", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "extension-operator-d95fd449b-ssrcx", "Container": "manager", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "extension-operator-d95fd449b-ssrcx", "Container": "fluent-bit", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "kube-proxy-26xkd", "Container": "kube-proxy", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "kube-proxy-6mrql", "Container": "kube-proxy", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "kube-proxy-9rbxf", "Container": "kube-proxy", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "kube-proxy-njzgk", "Container": "kube-proxy", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "kube-proxy-rvmxl", "Container": "kube-proxy", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kube-system", "Pod": "kube-proxy-vp7xj", "Container": "kube-proxy", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "kubeview", "Pod": "simple-deployment-74fd649f8d-qxp2r", "Container": "webserver-simple", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "linkerd", "Pod": "simple-deployment-74fd649f8d-mkmst", "Container": "webserver-simple", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "nginx", "Pod": "simple-deployment-74fd649f8d-hlcdk", "Container": "webserver-simple", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "pets", "Pod": "order-service-6c5bfb6946-b58xq", "Container": "order-service", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "pets", "Pod": "product-service-5dd87dfb8-ssfxc", "Container": "product-service", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "pets", "Pod": "rabbitmq-0", "Container": "rabbitmq", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "pets", "Pod": "store-front-658994fd95-pk9qn", "Container": "store-front", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "prometheus", "Pod": "simple-deployment-74fd649f8d-2x6w5", "Container": "webserver-simple", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "sealed-secrets", "Pod": "simple-deployment-74fd649f8d-stktp", "Container": "webserver-simple", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" }, { "Namespace": "test", "Pod": "simple-deployment-74fd649f8d-lhlkx", "Container": "webserver-simple", "DroppedCapabilities": "", "Issue": "Does not drop ALL capabilities" } ] }, "WRK007": { "Total": 60, "URL": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/", "Name": "Missing Readiness and Liveness Probes", "Description": "Detects containers without health probes (readiness/liveness).", "Recommendation": "Add readiness and liveness probes to all containers to improve availability and fault detection.", "Weight": 4, "ID": "WRK007", "ResourceKind": "Deployment", "Section": "Workloads", "Category": "Probes", "Severity": "Medium", "Items": [ { "Namespace": "aks-istio-ingress", "Workload": "aks-istio-ingressgateway-external-asm-1-23", "Kind": "Deployment", "Container": "istio-proxy", "Missing": "readiness, liveness" }, { "Namespace": "aks-istio-system", "Workload": "istiod-asm-1-23", "Kind": "Deployment", "Container": "discovery", "Missing": "liveness" }, { "Namespace": "argo-rollouts", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "argo-workflows", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "argocd", "Workload": "argocd-applicationset-controller", "Kind": "Deployment", "Container": "argocd-applicationset-controller", "Missing": "readiness, liveness" }, { "Namespace": "argocd", "Workload": "argocd-dex-server", "Kind": "Deployment", "Container": "dex", "Missing": "readiness, liveness" }, { "Namespace": "argocd", "Workload": "argocd-notifications-controller", "Kind": "Deployment", "Container": "argocd-notifications-controller", "Missing": "readiness" }, { "Namespace": "cert-manager", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "grafana", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "ama-logs-rs", "Kind": "Deployment", "Container": "ama-logs", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-metrics", "Kind": "Deployment", "Container": "prometheus-collector", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-metrics", "Kind": "Deployment", "Container": "addon-token-adapter", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-metrics-operator-targets", "Kind": "Deployment", "Container": "targetallocator", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-metrics-operator-targets", "Kind": "Deployment", "Container": "config-reader", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "coredns-autoscaler", "Kind": "Deployment", "Container": "autoscaler", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "extension-agent", "Kind": "Deployment", "Container": "extension-agent", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "extension-agent", "Kind": "Deployment", "Container": "fluent-bit", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "extension-operator", "Kind": "Deployment", "Container": "manager", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "extension-operator", "Kind": "Deployment", "Container": "fluent-bit", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "konnectivity-agent-autoscaler", "Kind": "Deployment", "Container": "autoscaler", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "metrics-server", "Kind": "Deployment", "Container": "metrics-server-vpa", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "microsoft-defender-collector-misc", "Kind": "Deployment", "Container": "microsoft-defender-pod-collector", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "vpa-admission-controller", "Kind": "Deployment", "Container": "admission-controller", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "vpa-recommender", "Kind": "Deployment", "Container": "recommender", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "vpa-updater", "Kind": "Deployment", "Container": "updater", "Missing": "readiness, liveness" }, { "Namespace": "kubeview", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "linkerd", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "nginx", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "prometheus", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "sealed-secrets", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "test", "Workload": "simple-deployment", "Kind": "Deployment", "Container": "webserver-simple", "Missing": "readiness, liveness" }, { "Namespace": "argocd", "Workload": "argocd-application-controller", "Kind": "StatefulSet", "Container": "argocd-application-controller", "Missing": "liveness" }, { "Namespace": "argocd", "Workload": "argocd-redis-ha-server", "Kind": "StatefulSet", "Container": "split-brain-fix", "Missing": "readiness, liveness" }, { "Namespace": "pets", "Workload": "rabbitmq", "Kind": "StatefulSet", "Container": "rabbitmq", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "aks-secrets-store-csi-driver", "Kind": "DaemonSet", "Container": "node-driver-registrar", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "aks-secrets-store-csi-driver", "Kind": "DaemonSet", "Container": "secrets-store", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "aks-secrets-store-csi-driver", "Kind": "DaemonSet", "Container": "liveness-probe", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "aks-secrets-store-csi-driver-windows", "Kind": "DaemonSet", "Container": "node-driver-registrar", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "aks-secrets-store-csi-driver-windows", "Kind": "DaemonSet", "Container": "secrets-store", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "aks-secrets-store-csi-driver-windows", "Kind": "DaemonSet", "Container": "liveness-probe", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "aks-secrets-store-provider-azure", "Kind": "DaemonSet", "Container": "provider-azure-installer", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "aks-secrets-store-provider-azure-windows", "Kind": "DaemonSet", "Container": "provider-azure-installer", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-logs", "Kind": "DaemonSet", "Container": "ama-logs", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-logs", "Kind": "DaemonSet", "Container": "ama-logs-prometheus", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-logs-windows", "Kind": "DaemonSet", "Container": "ama-logs-windows", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-metrics-node", "Kind": "DaemonSet", "Container": "prometheus-collector", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-metrics-node", "Kind": "DaemonSet", "Container": "addon-token-adapter", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-metrics-win-node", "Kind": "DaemonSet", "Container": "prometheus-collector", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "ama-metrics-win-node", "Kind": "DaemonSet", "Container": "addon-token-adapter-win", "Missing": "readiness" }, { "Namespace": "kube-system", "Workload": "azure-ip-masq-agent", "Kind": "DaemonSet", "Container": "azure-ip-masq-agent", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "azure-npm", "Kind": "DaemonSet", "Container": "azure-npm", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "cloud-node-manager", "Kind": "DaemonSet", "Container": "cloud-node-manager", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "cloud-node-manager-windows", "Kind": "DaemonSet", "Container": "cloud-node-manager", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "kube-proxy", "Kind": "DaemonSet", "Container": "kube-proxy", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "microsoft-defender-collector-ds", "Kind": "DaemonSet", "Container": "microsoft-defender-pod-collector", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "microsoft-defender-collector-ds", "Kind": "DaemonSet", "Container": "microsoft-defender-low-level-collector", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "microsoft-defender-publisher-ds", "Kind": "DaemonSet", "Container": "microsoft-defender-publisher", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "retina-agent", "Kind": "DaemonSet", "Container": "retina", "Missing": "liveness" }, { "Namespace": "kube-system", "Workload": "retina-agent-win", "Kind": "DaemonSet", "Container": "retinawin", "Missing": "readiness, liveness" }, { "Namespace": "kube-system", "Workload": "windows-kube-proxy-initializer", "Kind": "DaemonSet", "Container": "pause", "Missing": "readiness, liveness" } ] }, "AKSSEC006": { "ID": "AKSSEC006", "Severity": "Medium", "URL": "https://learn.microsoft.com/azure/aks/image-cleaner", "FailMessage": "", "Name": "Image Cleaner Enabled", "Recommendation": "Image Cleaner Enabled is enabled.", "Status": "✅ PASS", "Category": "Security", "Total": 0, "Items": null }, "AKSBP012": { "ID": "AKSBP012", "Severity": "Medium", "URL": "https://learn.microsoft.com/azure/aks/upgrade-cluster#check-the-current-kubernetes-version", "FailMessage": "", "Name": "Node Pool Version Matches Control Plane", "Recommendation": "Node Pool Version Matches Control Plane is enabled.", "Status": "✅ PASS", "Category": "Best Practices", "Total": 0, "Items": null }, "AKSDR002": { "ID": "AKSDR002", "Severity": "Medium", "URL": "https://learn.microsoft.com/azure/aks/free-standard-pricing-tiers", "FailMessage": "", "Name": "Control Plane SLA", "Recommendation": "Control Plane SLA is enabled.", "Status": "✅ PASS", "Category": "Disaster Recovery", "Total": 0, "Items": null }, "RBAC003": { "Total": 20, "URL": "https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/", "Name": "Orphaned ServiceAccounts", "Description": "Finds ServiceAccounts not used by any pods or referenced in RoleBindings or ClusterRoleBindings.", "Recommendation": "Clean up unused ServiceAccounts to avoid confusion and reduce RBAC clutter.", "Weight": 2, "ID": "RBAC003", "ResourceKind": "ServiceAccount", "Section": "Security", "Category": "RBAC", "Severity": "Medium", "Items": [ { "Namespace": "1", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "10", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "2", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "3", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "4", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "5", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "6", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "7", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "8", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "9", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "aks-istio-egress", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "aks-istio-ingress", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "aks-istio-system", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "app-routing-system", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "argocd", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "default", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "gatekeeper-system", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "kiali-operator", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "kube-node-lease", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" }, { "Namespace": "kube-public", "Resource": "serviceaccount/default", "Value": "default", "Message": "ServiceAccount not used by pods or RBAC bindings" } ] }, "AKSBP008": { "ID": "AKSBP008", "Severity": "Medium", "URL": "https://learn.microsoft.com/azure/aks/auto-upgrade-cluster?tabs=azure-cli", "FailMessage": "", "Name": "Auto Upgrade Channel Configured", "Recommendation": "Auto Upgrade Channel Configured is enabled.", "Status": "✅ PASS", "Category": "Best Practices", "Total": 0, "Items": null }, "AKSBP007": { "ID": "AKSBP007", "Severity": "High", "URL": "https://learn.microsoft.com/azure/aks/use-system-pools?tabs=azure-cli#system-and-user-node-pools", "FailMessage": "", "Name": "System Node Pool Taint", "Recommendation": "System Node Pool Taint is enabled.", "Status": "✅ PASS", "Category": "Best Practices", "Total": 0, "Items": null }, "AKSBP009": { "ID": "AKSBP009", "Severity": "Medium", "URL": "https://learn.microsoft.com/azure/aks/auto-upgrade-node-os-image?tabs=azure-cli", "FailMessage": "", "Name": "Node OS Upgrade Channel Configured", "Recommendation": "Node OS Upgrade Channel Configured is enabled.", "Status": "✅ PASS", "Category": "Best Practices", "Total": 0, "Items": null }, "SEC004": { "Total": 37, "URL": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", "Name": "Privileged Containers", "Description": "Detects containers running with privileged mode enabled.", "Recommendation": "Avoid using privileged containers unless absolutely necessary, as they grant broad access to host resources.", "Weight": 5, "ID": "SEC004", "ResourceKind": "Pod", "Section": "Security", "Category": "Pod Security", "Severity": "High", "Items": [ { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-2l2wl", "Value": "privileged=true", "Message": "Container 'secrets-store' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-6w2vp", "Value": "privileged=true", "Message": "Container 'secrets-store' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-7879c", "Value": "privileged=true", "Message": "Container 'secrets-store' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-m8m29", "Value": "privileged=true", "Message": "Container 'secrets-store' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-vnmcd", "Value": "privileged=true", "Message": "Container 'secrets-store' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-csi-driver-zrfbz", "Value": "privileged=true", "Message": "Container 'secrets-store' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-4v8mz", "Value": "privileged=true", "Message": "Container 'ama-logs' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-4v8mz", "Value": "privileged=true", "Message": "Container 'ama-logs-prometheus' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-5vr2w", "Value": "privileged=true", "Message": "Container 'ama-logs' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-5vr2w", "Value": "privileged=true", "Message": "Container 'ama-logs-prometheus' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-fmd7b", "Value": "privileged=true", "Message": "Container 'ama-logs' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-fmd7b", "Value": "privileged=true", "Message": "Container 'ama-logs-prometheus' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-fpkw6", "Value": "privileged=true", "Message": "Container 'ama-logs' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-fpkw6", "Value": "privileged=true", "Message": "Container 'ama-logs-prometheus' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-gqs28", "Value": "privileged=true", "Message": "Container 'ama-logs' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-gqs28", "Value": "privileged=true", "Message": "Container 'ama-logs-prometheus' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-ndxrw", "Value": "privileged=true", "Message": "Container 'ama-logs' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-ndxrw", "Value": "privileged=true", "Message": "Container 'ama-logs-prometheus' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/ama-logs-rs-64765bd4b9-ldxwl", "Value": "privileged=true", "Message": "Container 'ama-logs' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-26xkd", "Value": "privileged=true", "Message": "Container 'kube-proxy' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-26xkd", "Value": "privileged=true", "Message": "Container 'kube-proxy-bootstrap' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-6mrql", "Value": "privileged=true", "Message": "Container 'kube-proxy' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-6mrql", "Value": "privileged=true", "Message": "Container 'kube-proxy-bootstrap' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-9rbxf", "Value": "privileged=true", "Message": "Container 'kube-proxy' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-9rbxf", "Value": "privileged=true", "Message": "Container 'kube-proxy-bootstrap' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-njzgk", "Value": "privileged=true", "Message": "Container 'kube-proxy' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-njzgk", "Value": "privileged=true", "Message": "Container 'kube-proxy-bootstrap' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-rvmxl", "Value": "privileged=true", "Message": "Container 'kube-proxy' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-rvmxl", "Value": "privileged=true", "Message": "Container 'kube-proxy-bootstrap' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-vp7xj", "Value": "privileged=true", "Message": "Container 'kube-proxy' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-vp7xj", "Value": "privileged=true", "Message": "Container 'kube-proxy-bootstrap' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-cgv48", "Value": "privileged=true", "Message": "Container 'retina-agent-init' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-gjxk8", "Value": "privileged=true", "Message": "Container 'retina-agent-init' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-js76w", "Value": "privileged=true", "Message": "Container 'retina-agent-init' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-lfn7d", "Value": "privileged=true", "Message": "Container 'retina-agent-init' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-qc9bs", "Value": "privileged=true", "Message": "Container 'retina-agent-init' is running in privileged mode" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-wlt7b", "Value": "privileged=true", "Message": "Container 'retina-agent-init' is running in privileged mode" } ] }, "NS003": { "Total": 32, "URL": "https://kubernetes.io/docs/concepts/policy/limit-range/", "Name": "Missing LimitRanges", "Description": "Detects namespaces without a defined LimitRange.", "Recommendation": "Define default CPU and memory limits to avoid unbounded pod usage.", "Weight": 2, "ID": "NS003", "ResourceKind": "limitranges", "Section": "Namespaces", "Category": "Namespaces", "Severity": "medium", "Items": [ { "Namespace": "1", "Issue": "❌ No LimitRange" }, { "Namespace": "10", "Issue": "❌ No LimitRange" }, { "Namespace": "2", "Issue": "❌ No LimitRange" }, { "Namespace": "3", "Issue": "❌ No LimitRange" }, { "Namespace": "4", "Issue": "❌ No LimitRange" }, { "Namespace": "5", "Issue": "❌ No LimitRange" }, { "Namespace": "6", "Issue": "❌ No LimitRange" }, { "Namespace": "7", "Issue": "❌ No LimitRange" }, { "Namespace": "8", "Issue": "❌ No LimitRange" }, { "Namespace": "9", "Issue": "❌ No LimitRange" }, { "Namespace": "aks-istio-egress", "Issue": "❌ No LimitRange" }, { "Namespace": "aks-istio-ingress", "Issue": "❌ No LimitRange" }, { "Namespace": "aks-istio-system", "Issue": "❌ No LimitRange" }, { "Namespace": "app-routing-system", "Issue": "❌ No LimitRange" }, { "Namespace": "argo-rollouts", "Issue": "❌ No LimitRange" }, { "Namespace": "argo-workflows", "Issue": "❌ No LimitRange" }, { "Namespace": "argocd", "Issue": "❌ No LimitRange" }, { "Namespace": "cert-manager", "Issue": "❌ No LimitRange" }, { "Namespace": "default", "Issue": "❌ No LimitRange" }, { "Namespace": "gatekeeper-system", "Issue": "❌ No LimitRange" }, { "Namespace": "grafana", "Issue": "❌ No LimitRange" }, { "Namespace": "kiali-operator", "Issue": "❌ No LimitRange" }, { "Namespace": "kube-node-lease", "Issue": "❌ No LimitRange" }, { "Namespace": "kube-public", "Issue": "❌ No LimitRange" }, { "Namespace": "kube-system", "Issue": "❌ No LimitRange" }, { "Namespace": "kubeview", "Issue": "❌ No LimitRange" }, { "Namespace": "linkerd", "Issue": "❌ No LimitRange" }, { "Namespace": "nginx", "Issue": "❌ No LimitRange" }, { "Namespace": "pets", "Issue": "❌ No LimitRange" }, { "Namespace": "prometheus", "Issue": "❌ No LimitRange" }, { "Namespace": "sealed-secrets", "Issue": "❌ No LimitRange" }, { "Namespace": "test", "Issue": "❌ No LimitRange" } ] }, "AKSSEC002": { "ID": "AKSSEC002", "Severity": "Medium", "URL": "https://learn.microsoft.com/azure/aks/policy-reference", "FailMessage": "", "Name": "Azure Policy Add-on", "Recommendation": "Azure Policy Add-on is enabled.", "Status": "✅ PASS", "Category": "Security", "Total": 0, "Items": null }, "SEC001": { "Total": 10, "URL": "https://kubernetes.io/docs/concepts/configuration/secret/", "Name": "Orphaned Secrets", "Description": "Detects Secrets not used by any workloads, ingresses, service accounts, or known custom resources.", "Recommendation": "Review and remove unused Secrets to reduce surface area and limit stale credentials.", "Weight": 2, "ID": "SEC001", "ResourceKind": "Secret", "Section": "Security", "Category": "Security", "Severity": "Medium", "Items": [ { "Namespace": "aks-istio-system", "Resource": "secret/istio-ca-secret", "Value": "istio-ca-secret", "Message": "Secret appears unused across workloads, ingresses, service accounts, or CRs" }, { "Namespace": "argocd", "Resource": "secret/argocd-initial-admin-secret", "Value": "argocd-initial-admin-secret", "Message": "Secret appears unused across workloads, ingresses, service accounts, or CRs" }, { "Namespace": "argocd", "Resource": "secret/argocd-notifications-secret", "Value": "argocd-notifications-secret", "Message": "Secret appears unused across workloads, ingresses, service accounts, or CRs" }, { "Namespace": "argocd", "Resource": "secret/argocd-secret", "Value": "argocd-secret", "Message": "Secret appears unused across workloads, ingresses, service accounts, or CRs" }, { "Namespace": "argocd", "Resource": "secret/repo-1114886772", "Value": "repo-1114886772", "Message": "Secret appears unused across workloads, ingresses, service accounts, or CRs" }, { "Namespace": "argocd", "Resource": "secret/repo-1952242182", "Value": "repo-1952242182", "Message": "Secret appears unused across workloads, ingresses, service accounts, or CRs" }, { "Namespace": "kube-system", "Resource": "secret/aad-msi-auth-token", "Value": "aad-msi-auth-token", "Message": "Secret appears unused across workloads, ingresses, service accounts, or CRs" }, { "Namespace": "kube-system", "Resource": "secret/azure-policy-webhook-cert", "Value": "azure-policy-webhook-cert", "Message": "Secret appears unused across workloads, ingresses, service accounts, or CRs" }, { "Namespace": "kube-system", "Resource": "secret/extensions-aad-msi-token", "Value": "extensions-aad-msi-token", "Message": "Secret appears unused across workloads, ingresses, service accounts, or CRs" }, { "Namespace": "kube-system", "Resource": "secret/omsagent-aad-msi-token", "Value": "omsagent-aad-msi-token", "Message": "Secret appears unused across workloads, ingresses, service accounts, or CRs" } ] }, "NET003": { "Total": 0, "URL": "https://kubernetes.io/docs/concepts/services-networking/ingress/", "Name": "Ingress Health Validation", "Description": "Validates ingress definitions for missing classes, invalid backends, missing TLS secrets, duplicate host/path entries, and incorrect path types.", "Recommendation": "Fix invalid ingress definitions including missing TLS secrets, backend services, and path issues.", "Weight": 3, "ID": "NET003", "Message": "No issues detected for Ingress Health Validation.", "ResourceKind": "Ingress", "Section": "Networking", "Category": "Networking", "Severity": "High", "Items": [] }, "AKSMON002": { "ID": "AKSMON002", "Severity": "High", "URL": "https://learn.microsoft.com/azure/azure-monitor/essentials/prometheus-metrics-overview", "FailMessage": "", "Name": "Managed Prometheus Enabled", "Recommendation": "Managed Prometheus Enabled is enabled.", "Status": "✅ PASS", "Category": "Monitoring & Logging", "Total": 0, "Items": null }, "AKSSEC004": { "ID": "AKSSEC004", "Severity": "Medium", "URL": "https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster", "FailMessage": "", "Name": "OIDC Issuer Enabled", "Recommendation": "OIDC Issuer Enabled is enabled.", "Status": "✅ PASS", "Category": "Security", "Total": 0, "Items": null }, "AKSBP006": { "ID": "AKSBP006", "Severity": "Medium", "URL": "https://learn.microsoft.com/azure/aks/concepts-storage#managed-os-disks", "FailMessage": "", "Name": "Non-Ephemeral Disks with Adequate Size", "Recommendation": "Non-Ephemeral Disks with Adequate Size is enabled.", "Status": "✅ PASS", "Category": "Best Practices", "Total": 0, "Items": null }, "SEC015": { "Total": 20, "URL": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/", "Name": "Pods Using Default ServiceAccount", "Description": "Flags pods using the default service account, which may have broad permissions.", "Recommendation": "Assign a dedicated ServiceAccount to each workload with least-privilege permissions.", "Weight": 3, "ID": "SEC015", "ResourceKind": "Pod", "Section": "Security", "Category": "Pod Security", "Severity": "Medium", "Items": [ { "Namespace": "argo-rollouts", "Pod": "simple-deployment-74fd649f8d-996vt", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "argo-workflows", "Pod": "simple-deployment-74fd649f8d-24t56", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "cert-manager", "Pod": "simple-deployment-74fd649f8d-7cht8", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "grafana", "Pod": "simple-deployment-74fd649f8d-l7wrd", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-4522j", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-4c7cr", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-78rnw", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-84ltn", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-t4c2w", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "kube-system", "Pod": "azure-ip-masq-agent-vbdd8", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "kubeview", "Pod": "simple-deployment-74fd649f8d-qxp2r", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "linkerd", "Pod": "simple-deployment-74fd649f8d-mkmst", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "nginx", "Pod": "simple-deployment-74fd649f8d-hlcdk", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "pets", "Pod": "order-service-6c5bfb6946-b58xq", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "pets", "Pod": "product-service-5dd87dfb8-ssfxc", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "pets", "Pod": "rabbitmq-0", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "pets", "Pod": "store-front-658994fd95-pk9qn", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "prometheus", "Pod": "simple-deployment-74fd649f8d-2x6w5", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "sealed-secrets", "Pod": "simple-deployment-74fd649f8d-stktp", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" }, { "Namespace": "test", "Pod": "simple-deployment-74fd649f8d-lhlkx", "ServiceAccount": "default", "Issue": "Using default ServiceAccount" } ] }, "AKSIAM002": { "ID": "AKSIAM002", "Severity": "High", "URL": "https://learn.microsoft.com/azure/aks/use-managed-identity", "FailMessage": "", "Name": "Managed Identity", "Recommendation": "Managed Identity is enabled.", "Status": "✅ PASS", "Category": "Identity & Access", "Total": 0, "Items": null }, "CFG003": { "Total": 0, "URL": "https://kubernetes.io/docs/concepts/configuration/configmap/", "Name": "Large ConfigMaps", "Description": "Finds ConfigMaps larger than 1 MiB, which may impact performance or exceed platform limits.", "Recommendation": "Avoid storing large data in ConfigMaps. Consider using PersistentVolumes or Secrets instead.", "Weight": 2, "ID": "CFG003", "Message": "No issues detected for Large ConfigMaps.", "ResourceKind": "ConfigMap", "Section": "Configuration Hygiene", "Category": "Best Practices", "Severity": "Medium", "Items": [] }, "NET001": { "Total": 3, "URL": "https://kubernetes.io/docs/concepts/services-networking/service/", "Name": "Services Without Endpoints", "Description": "Identifies services that have no backing endpoints, which means no pods are matched.", "Recommendation": "Check if the service selector matches any pods. Ensure the backing pods are running and ready.", "Weight": 2, "ID": "NET001", "ResourceKind": "Service", "Section": "Networking", "Category": "Networking", "Severity": "High", "Items": [ { "Namespace": "kube-system", "Resource": "service/extension-agent-metrics-service", "Value": "extension-agent-metrics-service", "Message": "No endpoints available" }, { "Namespace": "kube-system", "Resource": "service/extension-operator-metrics-service", "Value": "extension-operator-metrics-service", "Message": "No endpoints available" }, { "Namespace": "kube-system", "Resource": "service/network-observability", "Value": "network-observability", "Message": "No endpoints available" } ] }, "AKSNET002": { "ID": "AKSNET002", "Severity": "Medium", "URL": "https://learn.microsoft.com/azure/aks/operator-best-practices-network#control-traffic-flow-with-network-policies", "FailMessage": "", "Name": "Network Policy Check", "Recommendation": "Network Policy Check is enabled.", "Status": "✅ PASS", "Category": "Networking", "Total": 0, "Items": null }, "WRK001": { "Total": 0, "URL": "https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/", "Name": "DaemonSets Not Fully Running", "Description": "Detects DaemonSets that have fewer running pods than desired.", "Recommendation": "Investigate DaemonSets not fully running. Common causes include taints, node issues, or resource constraints.", "Weight": 2, "ID": "WRK001", "Message": "No issues detected for DaemonSets Not Fully Running.", "ResourceKind": "DaemonSet", "Section": "Workloads", "Category": "Workloads", "Severity": "Warning", "Items": [] }, "AKSSEC08": { "ID": "AKSSEC08", "Severity": "High", "URL": "https://learn.microsoft.com/en-us/azure/aks/use-psa", "FailMessage": "Pod Security Admission is not enabled on this cluster. This may reduce baseline pod security.", "Name": "Pod Security Admission Enabled", "Recommendation": "Enable Pod Security Admission by setting 'podSecurityAdmissionConfiguration' during cluster creation or via supported upgrade path.", "Status": "❌ FAIL", "Category": "Security", "Total": 1, "Items": { "Issue": "Enable Pod Security Admission by setting 'podSecurityAdmissionConfiguration' during cluster creation or via supported upgrade path.", "Resource": "Pod Security Admission Enabled" } }, "EVENT002": { "Total": 0, "URL": "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#event-v1-core", "Name": "Full Warning Event Log", "Description": "Lists all recent Warning events in the cluster.", "Recommendation": "Review recent warnings. Correlate events with impacted resources.", "Weight": 1, "ID": "EVENT002", "Message": "No issues detected for Full Warning Event Log.", "ResourceKind": "events", "Section": "Kubernetes Events", "Category": "Events", "Severity": "medium", "Items": [] }, "AKSIAM004": { "ID": "AKSIAM004", "Severity": "High", "URL": "https://learn.microsoft.com/azure/aks/use-managed-identity", "FailMessage": "", "Name": "Managed Identity Used", "Recommendation": "Managed Identity Used is enabled.", "Status": "✅ PASS", "Category": "Identity & Access", "Total": 0, "Items": null }, "CFG002": { "Total": 2, "URL": "https://kubernetes.io/docs/concepts/configuration/configmap/", "Name": "Duplicate ConfigMap Names", "Description": "Detects ConfigMaps with identical names across different namespaces.", "Recommendation": "Avoid using the same ConfigMap name across namespaces to reduce confusion and misconfiguration risk.", "Weight": 1, "ID": "CFG002", "ResourceKind": "ConfigMap", "Section": "Configuration Hygiene", "Category": "Best Practices", "Severity": "Medium", "Items": [ { "Namespace": "-", "Resource": "istio-ca-root-cert", "Value": "-", "Message": "Found in namespaces: 1, 10, 2, 3, 4, 5, 6, 7, 8, 9, aks-istio-egress, aks-istio-ingress, aks-istio-system, app-routing-system, argo-rollouts, argo-workflows, argocd, cert-manager, default, gatekeeper-system, grafana, kiali-operator, kube-system, kubeview, linkerd, nginx, pets, prometheus, sealed-secrets, test" }, { "Namespace": "-", "Resource": "kube-root-ca.crt", "Value": "-", "Message": "Found in namespaces: 1, 10, 2, 3, 4, 5, 6, 7, 8, 9, aks-istio-egress, aks-istio-ingress, aks-istio-system, app-routing-system, argo-rollouts, argo-workflows, argocd, cert-manager, default, gatekeeper-system, grafana, kiali-operator, kube-node-lease, kube-public, kube-system, kubeview, linkerd, nginx, pets, prometheus, sealed-secrets, test" } ] }, "SEC013": { "Total": 98, "URL": "https://kubernetes.io/docs/concepts/storage/volumes/#emptydir", "Name": "EmptyDir Volume Usage", "Description": "EmptyDir volumes are ephemeral and cleared on pod restart. Use only if data persistence is not needed.\n", "Recommendation": "Use persistent volumes or configMaps instead of EmptyDir when persistence is required.", "Weight": 1, "ID": "SEC013", "ResourceKind": "Pod", "Section": "Security", "Category": "Pod Security", "Severity": "Low", "Items": [ { "Namespace": "aks-istio-ingress", "Pod": "aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4", "Volume": "workload-socket", "Issue": "EmptyDir volume used" }, { "Namespace": "aks-istio-ingress", "Pod": "aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4", "Volume": "credential-socket", "Issue": "EmptyDir volume used" }, { "Namespace": "aks-istio-ingress", "Pod": "aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4", "Volume": "workload-certs", "Issue": "EmptyDir volume used" }, { "Namespace": "aks-istio-ingress", "Pod": "aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4", "Volume": "istio-envoy", "Issue": "EmptyDir volume used" }, { "Namespace": "aks-istio-ingress", "Pod": "aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4", "Volume": "istio-data", "Issue": "EmptyDir volume used" }, { "Namespace": "aks-istio-ingress", "Pod": "aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb", "Volume": "workload-socket", "Issue": "EmptyDir volume used" }, { "Namespace": "aks-istio-ingress", "Pod": "aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb", "Volume": "credential-socket", "Issue": "EmptyDir volume used" }, { "Namespace": "aks-istio-ingress", "Pod": "aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb", "Volume": "workload-certs", "Issue": "EmptyDir volume used" }, { "Namespace": "aks-istio-ingress", "Pod": "aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb", "Volume": "istio-envoy", "Issue": "EmptyDir volume used" }, { "Namespace": "aks-istio-ingress", "Pod": "aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb", "Volume": "istio-data", "Issue": "EmptyDir volume used" }, { "Namespace": "aks-istio-system", "Pod": "istiod-asm-1-23-7744d5fbf4-9572m", "Volume": "local-certs", "Issue": "EmptyDir volume used" }, { "Namespace": "aks-istio-system", "Pod": "istiod-asm-1-23-7744d5fbf4-rqzvt", "Volume": "local-certs", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-application-controller-0", "Volume": "argocd-home", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-application-controller-0", "Volume": "argocd-application-controller-tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-applicationset-controller-6fdf84dbb6-msffz", "Volume": "gpg-keyring", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-applicationset-controller-6fdf84dbb6-msffz", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-dex-server-556c76889-h4kxj", "Volume": "static-files", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-dex-server-556c76889-h4kxj", "Volume": "dexconfig", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-haproxy-fb657456c-kjbkq", "Volume": "shared-socket", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-haproxy-fb657456c-kjbkq", "Volume": "data", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-haproxy-fb657456c-kjlpf", "Volume": "shared-socket", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-haproxy-fb657456c-kjlpf", "Volume": "data", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-haproxy-fb657456c-tnjmb", "Volume": "shared-socket", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-haproxy-fb657456c-tnjmb", "Volume": "data", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-0", "Volume": "data", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-1", "Volume": "data", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-redis-ha-server-2", "Volume": "data", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-repo-server-8568fc89b5-sx6ks", "Volume": "gpg-keyring", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-repo-server-8568fc89b5-sx6ks", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-repo-server-8568fc89b5-sx6ks", "Volume": "helm-working-dir", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-repo-server-8568fc89b5-sx6ks", "Volume": "var-files", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-repo-server-8568fc89b5-sx6ks", "Volume": "plugins", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-repo-server-8568fc89b5-xrzzn", "Volume": "gpg-keyring", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-repo-server-8568fc89b5-xrzzn", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-repo-server-8568fc89b5-xrzzn", "Volume": "helm-working-dir", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-repo-server-8568fc89b5-xrzzn", "Volume": "var-files", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-repo-server-8568fc89b5-xrzzn", "Volume": "plugins", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-server-54f9645b87-k4rz8", "Volume": "plugins-home", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-server-54f9645b87-k4rz8", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-server-54f9645b87-wwzgz", "Volume": "plugins-home", "Issue": "EmptyDir volume used" }, { "Namespace": "argocd", "Pod": "argocd-server-54f9645b87-wwzgz", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "gatekeeper-system", "Pod": "gatekeeper-audit-77858c8f69-7k782", "Volume": "tmp-volume", "Issue": "EmptyDir volume used" }, { "Namespace": "kiali-operator", "Pod": "kiali-operator-696bd54db-mr8md", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-4v8mz", "Volume": "mdsd-prometheus-sock", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-5vr2w", "Volume": "mdsd-prometheus-sock", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-fmd7b", "Volume": "mdsd-prometheus-sock", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-fpkw6", "Volume": "mdsd-prometheus-sock", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-gqs28", "Volume": "mdsd-prometheus-sock", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "ama-logs-ndxrw", "Volume": "mdsd-prometheus-sock", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "ama-metrics-operator-targets-66fb46c8d6-vskdg", "Volume": "ta-config-shared", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-jsbbh", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-lp6sf", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-nv6xx", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-p6fpw", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-vsrfp", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "azure-npm-z8mcz", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "coredns-658d6d767d-757xp", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "coredns-658d6d767d-pt6l6", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "metrics-server-5f9ccffcc4-jsrjl", "Volume": "tmp-dir", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "metrics-server-5f9ccffcc4-v88pw", "Volume": "tmp-dir", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-6xdfq", "Volume": "ebpf", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-89l74", "Volume": "ebpf", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-d7gwk", "Volume": "ebpf", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-mdcs8", "Volume": "ebpf", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-q6d6c", "Volume": "ebpf", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-collector-ds-wb5dm", "Volume": "ebpf", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2ql5b", "Volume": "fluent-bit-conf", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-2rsrw", "Volume": "fluent-bit-conf", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-jj6dh", "Volume": "fluent-bit-conf", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-l5crs", "Volume": "fluent-bit-conf", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-lfk8h", "Volume": "fluent-bit-conf", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "microsoft-defender-publisher-ds-vz2c6", "Volume": "fluent-bit-conf", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-cgv48", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-gjxk8", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-js76w", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-lfn7d", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-qc9bs", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "kube-system", "Pod": "retina-agent-wlt7b", "Volume": "tmp", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "order-service-6c5bfb6946-b58xq", "Volume": "workload-socket", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "order-service-6c5bfb6946-b58xq", "Volume": "credential-socket", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "order-service-6c5bfb6946-b58xq", "Volume": "workload-certs", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "order-service-6c5bfb6946-b58xq", "Volume": "istio-envoy", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "order-service-6c5bfb6946-b58xq", "Volume": "istio-data", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "product-service-5dd87dfb8-ssfxc", "Volume": "workload-socket", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "product-service-5dd87dfb8-ssfxc", "Volume": "credential-socket", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "product-service-5dd87dfb8-ssfxc", "Volume": "workload-certs", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "product-service-5dd87dfb8-ssfxc", "Volume": "istio-envoy", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "product-service-5dd87dfb8-ssfxc", "Volume": "istio-data", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "rabbitmq-0", "Volume": "workload-socket", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "rabbitmq-0", "Volume": "credential-socket", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "rabbitmq-0", "Volume": "workload-certs", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "rabbitmq-0", "Volume": "istio-envoy", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "rabbitmq-0", "Volume": "istio-data", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "store-front-658994fd95-pk9qn", "Volume": "workload-socket", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "store-front-658994fd95-pk9qn", "Volume": "credential-socket", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "store-front-658994fd95-pk9qn", "Volume": "workload-certs", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "store-front-658994fd95-pk9qn", "Volume": "istio-envoy", "Issue": "EmptyDir volume used" }, { "Namespace": "pets", "Pod": "store-front-658994fd95-pk9qn", "Volume": "istio-data", "Issue": "EmptyDir volume used" } ] }, "SEC002": { "Total": 36, "URL": "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", "Name": "Pods using hostPID or hostNetwork", "Description": "Flags pods that share the host's PID or network namespace, which can compromise isolation and node security.", "Recommendation": "Avoid using hostPID or hostNetwork unless strictly required. These settings reduce isolation and can expose the host.", "Weight": 4, "ID": "SEC002", "ResourceKind": "Pod", "Section": "Security", "Category": "Pods", "Severity": "High", "Items": [ { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-68nhw", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-7bqmn", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-7r458", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-k9tdc", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-n952g", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/aks-secrets-store-provider-azure-njpqh", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-4522j", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-4c7cr", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-78rnw", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-84ltn", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-t4c2w", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/azure-ip-masq-agent-vbdd8", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-jsbbh", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-lp6sf", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-nv6xx", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-p6fpw", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-vsrfp", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/azure-npm-z8mcz", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-57rk2", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-gl5xl", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-l7v5j", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-lr49d", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-n5qdr", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/cloud-node-manager-xwrrd", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-26xkd", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-6mrql", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-9rbxf", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-njzgk", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-rvmxl", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/kube-proxy-vp7xj", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-cgv48", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-gjxk8", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-js76w", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-lfn7d", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-qc9bs", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" }, { "Namespace": "kube-system", "Resource": "pod/retina-agent-wlt7b", "Value": "hostPID=False, hostNetwork=True", "Message": "Pod uses hostNetwork" } ] }, "POD005": { "Total": 0, "URL": "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy", "Name": "CrashLoopBackOff Pods", "Description": "Identifies pods stuck in a CrashLoopBackOff state due to repeated container crashes.", "Recommendation": "Check logs, investigate container errors, and fix misconfigurations.", "Weight": 4, "ID": "POD005", "Message": "No issues detected for CrashLoopBackOff Pods.", "ResourceKind": "Pod", "Section": "Pods", "Category": "Workloads", "Severity": "Error", "Items": [] }, "JOB002": { "Total": 0, "URL": "https://kubernetes.io/docs/concepts/workloads/controllers/job/#handling-pod-and-container-failures", "Name": "Failed Kubernetes Jobs", "Description": "Detects jobs with failures and no successful completions.", "Recommendation": "Review job logs and resource constraints to identify cause of failure.", "Weight": 3, "ID": "JOB002", "Message": "No issues detected for Failed Kubernetes Jobs.", "ResourceKind": "jobs", "Section": "Jobs", "Category": "Jobs", "Severity": "high", "Items": [] }, "NET002": { "Total": 4, "URL": "https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services", "Name": "Publicly Accessible Services", "Description": "Detects services of type LoadBalancer or NodePort that are potentially exposed to the internet.", "Recommendation": "Audit services of type LoadBalancer or NodePort. Limit exposure with firewalls or internal IP ranges.", "Weight": 4, "ID": "NET002", "ResourceKind": "Service", "Section": "Networking", "Category": "Networking", "Severity": "High", "Items": [ { "Namespace": "aks-istio-ingress", "Resource": "service/aks-istio-ingressgateway-external", "Value": "LoadBalancer", "Message": "Exposed via external IP: 131.145.32.126" }, { "Namespace": "app-routing-system", "Resource": "service/nginx", "Value": "LoadBalancer", "Message": "Exposed via external IP: 4.250.59.60" }, { "Namespace": "pets", "Resource": "service/store-front", "Value": "LoadBalancer", "Message": "Exposed via external IP: 85.210.102.171" }, { "Namespace": "test", "Resource": "service/simple-service", "Value": "NodePort", "Message": "Exposed via NodePort" } ] } } } |