docs/examples/text-report-sample.txt
|
--- Kubernetes Cluster Report ---
Timestamp: 04/22/2025 11:58:43 --------------------------------- [🌐 Cluster Summary] Cluster Name: aks-0402-dev-uks Kubernetes Version: v1.30.11 Kubernetes control plane is running at https://aks-0402-dev-uks-okv6e22w.hcp.uksouth.azmk8s.io:443 CoreDNS is running at https://aks-0402-dev-uks-okv6e22w.hcp.uksouth.azmk8s.io:443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy Metrics-server is running at https://aks-0402-dev-uks-okv6e22w.hcp.uksouth.azmk8s.io:443/api/v1/namespaces/kube-system/services/https:metrics-server:/proxy To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'. Compatibility Check: ⚠️ Cluster is running an outdated version: v1.30.11 (Latest: v1.32.3) API Server Health: Metrics: 📊 Cluster Metrics Summary ------------------------------------------------------------------------------------------ 🚀 Nodes: 6 🟩 Healthy: 6 🟥 Issues: 0 📦 Pods: 136 🟩 Running: 136 🟥 Failed: 0 🔄 Restarts: 1 🟨 Warnings: 0 🟥 Critical: 0 ⏳ Pending Pods: 0 🟡 Waiting: 0 ⚠️ Stuck Pods: 0 ❌ Stuck: 0 📉 Job Failures: 0 🔴 Failed: 0 ------------------------------------------------------------------------------------------ 📊 Pod Distribution: Avg: 22.7 | Max: 29 | Min: 13 | Total Nodes: 6 💾 Resource Usage ------------------------------------------------------------------------------------------ 🖥 CPU Usage: 49.73% 🟩 Normal 💾 Memory Usage: 4.51% 🟩 Normal ------------------------------------------------------------------------------------------ ❌ Errors: 0 ⚠️ Warnings: 0 CFG001 - Orphaned ConfigMaps Total Issues: 20 Message Namespace Resource ------- --------- -------- ConfigMap is not used by any workloads or services. aks-istio-system configmap/istio-asm-1-23 ConfigMap is not used by any workloads or services. aks-istio-system configmap/istio-gateway-status-leader ConfigMap is not used by any workloads or services. aks-istio-system configmap/istio-leader ConfigMap is not used by any workloads or services. aks-istio-system configmap/istio-namespace-controller-election ConfigMap is not used by any workloads or services. aks-istio-system configmap/istio-sidecar-injector-asm-1-23 ConfigMap is not used by any workloads or services. app-routing-system configmap/nginx ConfigMap is not used by any workloads or services. argocd configmap/argocd-notifications-cm ConfigMap is not used by any workloads or services. argocd configmap/argocd-rbac-cm ConfigMap is not used by any workloads or services. kube-system configmap/azure-ip-masq-agent-config-reconciled ConfigMap is not used by any workloads or services. kube-system configmap/cluster-autoscaler-status ConfigMap is not used by any workloads or services. kube-system configmap/container-azm-ms-aks-k8scluster ConfigMap is not used by any workloads or services. kube-system configmap/coredns-autoscaler ConfigMap is not used by any workloads or services. kube-system configmap/eraser-system-exclusion ConfigMap is not used by any workloads or services. kube-system configmap/extension-apiserver-authentication ConfigMap is not used by any workloads or services. kube-system configmap/extension-immutable-values ConfigMap is not used by any workloads or services. kube-system configmap/extensioncontrollerleaderid-lock ConfigMap is not used by any workloads or services. kube-system configmap/konnectivity-agent-autoscaler ConfigMap is not used by any workloads or services. kube-system configmap/kube-apiserver-legacy-service-account-token-tracking ConfigMap is not used by any workloads or services. kube-system configmap/overlay-upgrade-data ConfigMap is not used by any workloads or services. kube-system configmap/retina-config-win Category: Best Practices Severity: Medium Recommendation: Delete unused ConfigMaps to clean up the cluster and reduce confusion. URL: https://kubernetes.io/docs/concepts/configuration/configmap/ CFG002 - Duplicate ConfigMap Names Total Issues: 2 Message ------- Found in namespaces: 1, 10, 2, 3, 4, 5, 6, 7, 8, 9, aks-istio-egress, aks-istio-ingress, aks-istio-system, app-routing-system, argo-rollouts, argo-work… Found in namespaces: 1, 10, 2, 3, 4, 5, 6, 7, 8, 9, aks-istio-egress, aks-istio-ingress, aks-istio-system, app-routing-system, argo-rollouts, argo-work… Category: Best Practices Severity: Medium Recommendation: Avoid using the same ConfigMap name across namespaces to reduce confusion and misconfiguration risk. URL: https://kubernetes.io/docs/concepts/configuration/configmap/ CFG003 - Large ConfigMaps Total Issues: 0 ✅ No issues detected for Large ConfigMaps. Category: Best Practices Severity: Medium Recommendation: Avoid storing large data in ConfigMaps. Consider using PersistentVolumes or Secrets instead. URL: https://kubernetes.io/docs/concepts/configuration/configmap/ EVENT001 - Grouped Warning Events Total Issues: 0 ✅ No issues detected for Grouped Warning Events. Category: Events Severity: medium Recommendation: Check for recurring issues. Investigate sources using `kubectl describe` or logs. URL: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#event-v1-core EVENT002 - Full Warning Event Log Total Issues: 0 ✅ No issues detected for Full Warning Event Log. Category: Events Severity: medium Recommendation: Review recent warnings. Correlate events with impacted resources. URL: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#event-v1-core JOB001 - Stuck Kubernetes Jobs Total Issues: 0 ✅ No issues detected for Stuck Kubernetes Jobs. Category: Jobs Severity: medium Recommendation: Jobs that haven't completed may be stuck due to node issues, misconfiguration, or missing pods. URL: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy JOB002 - Failed Kubernetes Jobs Total Issues: 0 ✅ No issues detected for Failed Kubernetes Jobs. Category: Jobs Severity: high Recommendation: Review job logs and resource constraints to identify cause of failure. URL: https://kubernetes.io/docs/concepts/workloads/controllers/job/#handling-pod-and-container-failures NET001 - Services Without Endpoints Total Issues: 3 Message Namespace Resource Value ------- --------- -------- ----- No endpoints available kube-system service/extension-agent-metrics-service extension-agent-metrics-service No endpoints available kube-system service/extension-operator-metrics-service extension-operator-metrics-service No endpoints available kube-system service/network-observability network-observability Category: Networking Severity: High Recommendation: Check if the service selector matches any pods. Ensure the backing pods are running and ready. URL: https://kubernetes.io/docs/concepts/services-networking/service/ NET002 - Publicly Accessible Services Total Issues: 4 Message Namespace Resource Value ------- --------- -------- ----- Exposed via external IP: 131.145.32.126 aks-istio-ingress service/aks-istio-ingressgateway-external LoadBalancer Exposed via external IP: 4.250.59.60 app-routing-system service/nginx LoadBalancer Exposed via external IP: 85.210.102.171 pets service/store-front LoadBalancer Exposed via NodePort test service/simple-service NodePort Category: Networking Severity: High Recommendation: Audit services of type LoadBalancer or NodePort. Limit exposure with firewalls or internal IP ranges. URL: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services NET003 - Ingress Health Validation Total Issues: 0 ✅ No issues detected for Ingress Health Validation. Category: Networking Severity: High Recommendation: Fix invalid ingress definitions including missing TLS secrets, backend services, and path issues. URL: https://kubernetes.io/docs/concepts/services-networking/ingress/ NET004 - Namespace Missing Network Policy Total Issues: 16 Issue Namespace Pods ----- --------- ---- No NetworkPolicy in active namespace aks-istio-ingress 2 No NetworkPolicy in active namespace aks-istio-system 2 No NetworkPolicy in active namespace app-routing-system 2 No NetworkPolicy in active namespace argo-rollouts 1 No NetworkPolicy in active namespace argo-workflows 1 No NetworkPolicy in active namespace cert-manager 1 No NetworkPolicy in active namespace gatekeeper-system 3 No NetworkPolicy in active namespace grafana 1 No NetworkPolicy in active namespace kiali-operator 2 No NetworkPolicy in active namespace kubeview 1 No NetworkPolicy in active namespace linkerd 1 No NetworkPolicy in active namespace nginx 1 No NetworkPolicy in active namespace pets 4 No NetworkPolicy in active namespace prometheus 1 No NetworkPolicy in active namespace sealed-secrets 1 No NetworkPolicy in active namespace test 1 Category: Security Severity: Medium Recommendation: Apply a default deny-all ingress/egress NetworkPolicy in each namespace that hosts workloads, then selectively allow traffic as needed. URL: https://kubernetes.io/docs/concepts/services-networking/network-policies/ NODE001 - Node Readiness and Conditions Total Issues: 0 Node Status Issues ---- ------ ------ aks-systempool-19995743-vmss00000m ✅ Healthy None aks-systempool-19995743-vmss00000n ✅ Healthy None aks-systempool-19995743-vmss00000o ✅ Healthy None aks-workloadpool-10479701-vmss00000e ✅ Healthy None aks-workloadpool-10479701-vmss00000f ✅ Healthy None aks-workloadpool-10479701-vmss00000g ✅ Healthy None Category: Nodes Severity: High Recommendation: Investigate NotReady nodes to avoid workload disruption. URL: https://kubernetes.io/docs/concepts/architecture/nodes/ NODE002 - Node Resource Pressure Total Issues: 2 Node CPU Status CPU % CPU Used CPU Total Mem Status Mem % Mem Used Mem Total Disk % Disk Status ---- ---------- ----- -------- --------- ---------- ----- -------- --------- ------ ----------- aks-systempool-19995743-vmss00000m ✅ Normal 9.26% 176 mC 1900 mC 🟡 Warning 52.17% 3408 Mi 6533 Mi 52% ✅ Normal aks-systempool-19995743-vmss00000n ✅ Normal 8.68% 165 mC 1900 mC 🟡 Warning 50.16% 3277 Mi 6533 Mi 50% ✅ Normal aks-systempool-19995743-vmss00000o ✅ Normal 7.68% 146 mC 1900 mC ✅ Normal 49.17% 3212 Mi 6533 Mi 49% ✅ Normal aks-workloadpool-10479701-vmss00000e ✅ Normal 31.11% 1201 mC 3860 mC ✅ Normal 22.69% 3309 Mi 14584 Mi 22% ✅ Normal aks-workloadpool-10479701-vmss00000f ✅ Normal 30.23% 1167 mC 3860 mC ✅ Normal 16.99% 2478 Mi 14584 Mi 16% ✅ Normal aks-workloadpool-10479701-vmss00000g ✅ Normal 3.68% 142 mC 3860 mC ✅ Normal 14.11% 2058 Mi 14584 Mi 14% ✅ Normal Category: Nodes Severity: Medium Recommendation: Investigate and rebalance workloads on nodes with high resource usage. URL: https://kubernetes.io/docs/tasks/debug/debug-cluster/resource-usage-monitoring/ NS001 - Empty Namespaces Total Issues: 14 Namespace Status --------- ------ 1 📂 Empty 10 📂 Empty 2 📂 Empty 3 📂 Empty 4 📂 Empty 5 📂 Empty 6 📂 Empty 7 📂 Empty 8 📂 Empty 9 📂 Empty aks-istio-egress 📂 Empty default 📂 Empty kube-node-lease 📂 Empty kube-public 📂 Empty Category: Namespaces Severity: low Recommendation: These may be stale or unused and safe to delete after verifying they contain no critical resources. URL: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ NS002 - Missing or Weak ResourceQuotas Total Issues: 32 Issue Namespace ----- --------- ❌ No ResourceQuota 1 ❌ No ResourceQuota 10 ❌ No ResourceQuota 2 ❌ No ResourceQuota 3 ❌ No ResourceQuota 4 ❌ No ResourceQuota 5 ❌ No ResourceQuota 6 ❌ No ResourceQuota 7 ❌ No ResourceQuota 8 ❌ No ResourceQuota 9 ❌ No ResourceQuota aks-istio-egress ❌ No ResourceQuota aks-istio-ingress ❌ No ResourceQuota aks-istio-system ❌ No ResourceQuota app-routing-system ❌ No ResourceQuota argo-rollouts ❌ No ResourceQuota argo-workflows ❌ No ResourceQuota argocd ❌ No ResourceQuota cert-manager ❌ No ResourceQuota default ❌ No ResourceQuota gatekeeper-system ❌ No ResourceQuota grafana ❌ No ResourceQuota kiali-operator ❌ No ResourceQuota kube-node-lease ❌ No ResourceQuota kube-public ❌ No ResourceQuota kube-system ❌ No ResourceQuota kubeview ❌ No ResourceQuota linkerd ❌ No ResourceQuota nginx ❌ No ResourceQuota pets ❌ No ResourceQuota prometheus ❌ No ResourceQuota sealed-secrets ❌ No ResourceQuota test Category: Namespaces Severity: medium Recommendation: Apply CPU, memory, and pod quotas to enforce fair resource usage. URL: https://kubernetes.io/docs/concepts/policy/resource-quotas/ NS003 - Missing LimitRanges Total Issues: 32 Issue Namespace ----- --------- ❌ No LimitRange 1 ❌ No LimitRange 10 ❌ No LimitRange 2 ❌ No LimitRange 3 ❌ No LimitRange 4 ❌ No LimitRange 5 ❌ No LimitRange 6 ❌ No LimitRange 7 ❌ No LimitRange 8 ❌ No LimitRange 9 ❌ No LimitRange aks-istio-egress ❌ No LimitRange aks-istio-ingress ❌ No LimitRange aks-istio-system ❌ No LimitRange app-routing-system ❌ No LimitRange argo-rollouts ❌ No LimitRange argo-workflows ❌ No LimitRange argocd ❌ No LimitRange cert-manager ❌ No LimitRange default ❌ No LimitRange gatekeeper-system ❌ No LimitRange grafana ❌ No LimitRange kiali-operator ❌ No LimitRange kube-node-lease ❌ No LimitRange kube-public ❌ No LimitRange kube-system ❌ No LimitRange kubeview ❌ No LimitRange linkerd ❌ No LimitRange nginx ❌ No LimitRange pets ❌ No LimitRange prometheus ❌ No LimitRange sealed-secrets ❌ No LimitRange test Category: Namespaces Severity: medium Recommendation: Define default CPU and memory limits to avoid unbounded pod usage. URL: https://kubernetes.io/docs/concepts/policy/limit-range/ POD001 - Pods with High Restarts Total Issues: 0 ✅ No issues detected for Pods with High Restarts. Category: Workloads Severity: Warning Recommendation: Review logs and events for frequently restarting pods and address root causes such as crashes, missing configs, or failing probes. URL: https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#application-crashes POD002 - Long Running Pods Total Issues: 0 ✅ No issues detected for Long Running Pods. Category: Workloads Severity: Warning Recommendation: Review long-running pods and determine if they should be restarted or replaced by updated deployments. URL: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase POD003 - Failed Pods Total Issues: 0 ✅ No issues detected for Failed Pods. Category: Workloads Severity: Error Recommendation: Investigate failed pods for common issues like image errors, resource constraints, or crash loops. URL: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase POD004 - Pending Pods Total Issues: 0 ✅ No issues detected for Pending Pods. Category: Workloads Severity: Warning Recommendation: Inspect scheduling constraints, resource availability, and missing dependencies. URL: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase POD005 - CrashLoopBackOff Pods Total Issues: 0 ✅ No issues detected for CrashLoopBackOff Pods. Category: Workloads Severity: Error Recommendation: Check logs, investigate container errors, and fix misconfigurations. URL: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy POD006 - Leftover Debug Pods Total Issues: 0 ✅ No issues detected for Leftover Debug Pods. Category: Workloads Severity: Warning Recommendation: Delete any leftover debug pods and review your debugging practices. URL: https://kubernetes.io/docs/tasks/debug/debug-cluster/debug-running-pod/ POD007 - Container images do not use latest tag Total Issues: 3 Message Namespace Resource Value ------- --------- -------- ----- Container image uses the 'latest' tag, which can lead to unpredictable deployments. pets pod/order-service-6c5bfb6946-b58xq ghcr.io/azure-samples… Container image uses the 'latest' tag, which can lead to unpredictable deployments. pets pod/product-service-5dd87dfb8-ssfxc ghcr.io/azure-samples… Container image uses the 'latest' tag, which can lead to unpredictable deployments. pets pod/store-front-658994fd95-pk9qn ghcr.io/azure-samples… Category: Resource Management Severity: High Recommendation: Specify an explicit image tag (e.g., ':v1.2.3') to ensure consistent deployments. URL: https://kubernetes.io/docs/concepts/containers/images/#image-tags PVC001 - Unused Persistent Volume Claims Total Issues: 0 ✅ No issues detected for Unused Persistent Volume Claims. Category: Volumes Severity: Medium Recommendation: Review and delete unused PVCs to reclaim storage. URL: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ RBAC001 - RBAC Misconfigurations Total Issues: 10 Message Namespace Resource Value ------- --------- -------- ----- ServiceAccount not found kube-system RoleBinding/system::leader-locking-kube-controller-manager ServiceAccount/kube-controller-manager ServiceAccount not found kube-system RoleBinding/system::leader-locking-kube-scheduler ServiceAccount/kube-scheduler ServiceAccount not found kube-system RoleBinding/system:controller:cloud-provider ServiceAccount/cloud-provider ServiceAccount not found aks-istio-system ClusterRoleBinding/istio-reader-clusterrole-asm-1-23-aks-istio-system ServiceAccount/istio-reader-service-acc… ServiceAccount not found kube-system ClusterRoleBinding/secretproviderrotation-rolebinding ServiceAccount/secrets-store-csi-driver ServiceAccount not found kube-system ClusterRoleBinding/system:azure-cloud-provider ServiceAccount/azure-cloud-provider ServiceAccount not found kube-system ClusterRoleBinding/system:azure-cloud-provider-secret-getter ServiceAccount/azure-cloud-provider ServiceAccount not found kube-system ClusterRoleBinding/system:controller:route-controller ServiceAccount/route-controller ServiceAccount not found kube-system ClusterRoleBinding/system:controller:service-controller ServiceAccount/service-controller ServiceAccount not found kube-system ClusterRoleBinding/system:kube-dns ServiceAccount/kube-dns Category: RBAC Severity: High Recommendation: Fix missing roleRefs, service accounts, and invalid namespaces in RoleBindings and ClusterRoleBindings. URL: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ RBAC002 - RBAC Overexposure Total Issues: 21 Message Namespace Resource Value ------- --------- -------- ----- cluster-admin binding (built-in) 🌍 Cluster-Wide ClusterRoleBinding/aks-cluster-admin-binding User/clusterAdmin cluster-admin binding (built-in) 🌍 Cluster-Wide ClusterRoleBinding/aks-cluster-admin-binding User/clusterUser cluster-admin binding (built-in) 🌍 Cluster-Wide ClusterRoleBinding/aks-cluster-admin-binding-aad Group/e591c663-c79… Access to sensitive resources 🌍 Cluster-Wide ClusterRoleBinding/aks-secretprovidersyncing-rolebinding ServiceAccount/aks… Access to sensitive resources 🌍 Cluster-Wide ClusterRoleBinding/aks-service-rolebinding User/aks-support Wildcard permission role 🌍 Cluster-Wide ClusterRoleBinding/argocd-application-controller ServiceAccount/arg… cluster-admin binding (built-in) 🌍 Cluster-Wide ClusterRoleBinding/cluster-admin Group/system:maste… cluster-admin binding (built-in) 🌍 Cluster-Wide ClusterRoleBinding/extension-operator ServiceAccount/ext… Access to sensitive resources 🌍 Cluster-Wide ClusterRoleBinding/kiali-operator ServiceAccount/kia… Access to sensitive resources (built-in) 🌍 Cluster-Wide ClusterRoleBinding/system:controller:clusterrole-aggregation-controller ServiceAccount/clu… Access to sensitive resources (built-in) 🌍 Cluster-Wide ClusterRoleBinding/system:controller:legacy-service-account-token-cleaner ServiceAccount/leg… Access to sensitive resources (built-in) 🌍 Cluster-Wide ClusterRoleBinding/system:kube-controller-manager User/system:kube-c… Access to sensitive resources (built-in) 🌍 Cluster-Wide ClusterRoleBinding/system:kube-scheduler User/system:kube-s… Access to sensitive resources (built-in) 🌍 Cluster-Wide ClusterRoleBinding/system:persistent-volume-binding ServiceAccount/per… Access to sensitive resources aks-istio-system RoleBinding/istiod-asm-1-23 ServiceAccount/ist… Access to sensitive resources argocd RoleBinding/argocd-redis-ha-haproxy ServiceAccount/arg… Access to sensitive resources argocd RoleBinding/argocd-server ServiceAccount/arg… Access to sensitive resources gatekeeper-system RoleBinding/gatekeeper-manager-rolebinding ServiceAccount/gat… Access to sensitive resources kube-system RoleBinding/azure-policy-webhook-rolebinding ServiceAccount/azu… Access to sensitive resources kube-system RoleBinding/keda-operator-certs ServiceAccount/ked… Access to sensitive resources kube-system RoleBinding/system:controller:token-cleaner ServiceAccount/tok… Category: RBAC Severity: Critical Recommendation: Avoid cluster-admin, wildcard, and sensitive resource access in roles. Use least privilege. URL: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ RBAC003 - Orphaned ServiceAccounts Total Issues: 20 Message Namespace Resource Value ------- --------- -------- ----- ServiceAccount not used by pods or RBAC bindings 1 serviceaccount/default default ServiceAccount not used by pods or RBAC bindings 10 serviceaccount/default default ServiceAccount not used by pods or RBAC bindings 2 serviceaccount/default default ServiceAccount not used by pods or RBAC bindings 3 serviceaccount/default default ServiceAccount not used by pods or RBAC bindings 4 serviceaccount/default default ServiceAccount not used by pods or RBAC bindings 5 serviceaccount/default default ServiceAccount not used by pods or RBAC bindings 6 serviceaccount/default default ServiceAccount not used by pods or RBAC bindings 7 serviceaccount/default default ServiceAccount not used by pods or RBAC bindings 8 serviceaccount/default default ServiceAccount not used by pods or RBAC bindings 9 serviceaccount/default default ServiceAccount not used by pods or RBAC bindings aks-istio-egress serviceaccount/default default ServiceAccount not used by pods or RBAC bindings aks-istio-ingress serviceaccount/default default ServiceAccount not used by pods or RBAC bindings aks-istio-system serviceaccount/default default ServiceAccount not used by pods or RBAC bindings app-routing-system serviceaccount/default default ServiceAccount not used by pods or RBAC bindings argocd serviceaccount/default default ServiceAccount not used by pods or RBAC bindings default serviceaccount/default default ServiceAccount not used by pods or RBAC bindings gatekeeper-system serviceaccount/default default ServiceAccount not used by pods or RBAC bindings kiali-operator serviceaccount/default default ServiceAccount not used by pods or RBAC bindings kube-node-lease serviceaccount/default default ServiceAccount not used by pods or RBAC bindings kube-public serviceaccount/default default Category: RBAC Severity: Medium Recommendation: Clean up unused ServiceAccounts to avoid confusion and reduce RBAC clutter. URL: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/ RBAC004 - Orphaned and Ineffective Roles Total Issues: 4 Message Namespace Resource Value ------- --------- -------- ----- ClusterRoleBinding has no subjects cluster-wide clusterrolebinding/system:node system:node Unused ClusterRole cluster-wide clusterrole/aks-secretproviderclasses-admin-role aks-secretproviderclasses-admin-role Unused ClusterRole cluster-wide clusterrole/aks-secretproviderclasses-viewer-role aks-secretproviderclasses-viewer-role ClusterRole has no rules cluster-wide clusterrole/eraser-imagejob-pods-cluster-role eraser-imagejob-pods-cluster-role Category: RBAC Severity: Low Recommendation: Delete Roles and ClusterRoles that are not bound or do not define any rules. URL: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ SEC001 - Orphaned Secrets Total Issues: 10 Message Namespace Resource Value ------- --------- -------- ----- Secret appears unused across workloads, ingresses, service accounts, or CRs aks-istio-system secret/istio-ca-secret istio-ca-secret Secret appears unused across workloads, ingresses, service accounts, or CRs argocd secret/argocd-initial-admin-secret argocd-initial-admin-se… Secret appears unused across workloads, ingresses, service accounts, or CRs argocd secret/argocd-notifications-secret argocd-notifications-se… Secret appears unused across workloads, ingresses, service accounts, or CRs argocd secret/argocd-secret argocd-secret Secret appears unused across workloads, ingresses, service accounts, or CRs argocd secret/repo-1114886772 repo-1114886772 Secret appears unused across workloads, ingresses, service accounts, or CRs argocd secret/repo-1952242182 repo-1952242182 Secret appears unused across workloads, ingresses, service accounts, or CRs kube-system secret/aad-msi-auth-token aad-msi-auth-token Secret appears unused across workloads, ingresses, service accounts, or CRs kube-system secret/azure-policy-webhook-cert azure-policy-webhook-ce… Secret appears unused across workloads, ingresses, service accounts, or CRs kube-system secret/extensions-aad-msi-token extensions-aad-msi-token Secret appears unused across workloads, ingresses, service accounts, or CRs kube-system secret/omsagent-aad-msi-token omsagent-aad-msi-token Category: Security Severity: Medium Recommendation: Review and remove unused Secrets to reduce surface area and limit stale credentials. URL: https://kubernetes.io/docs/concepts/configuration/secret/ SEC002 - Pods using hostPID or hostNetwork Total Issues: 36 Message Namespace Resource Value ------- --------- -------- ----- Pod uses hostNetwork kube-system pod/aks-secrets-store-provider-azure-68nhw hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/aks-secrets-store-provider-azure-7bqmn hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/aks-secrets-store-provider-azure-7r458 hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/aks-secrets-store-provider-azure-k9tdc hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/aks-secrets-store-provider-azure-n952g hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/aks-secrets-store-provider-azure-njpqh hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/azure-ip-masq-agent-4522j hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/azure-ip-masq-agent-4c7cr hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/azure-ip-masq-agent-78rnw hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/azure-ip-masq-agent-84ltn hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/azure-ip-masq-agent-t4c2w hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/azure-ip-masq-agent-vbdd8 hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/azure-npm-jsbbh hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/azure-npm-lp6sf hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/azure-npm-nv6xx hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/azure-npm-p6fpw hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/azure-npm-vsrfp hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/azure-npm-z8mcz hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/cloud-node-manager-57rk2 hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/cloud-node-manager-gl5xl hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/cloud-node-manager-l7v5j hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/cloud-node-manager-lr49d hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/cloud-node-manager-n5qdr hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/cloud-node-manager-xwrrd hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/kube-proxy-26xkd hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/kube-proxy-6mrql hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/kube-proxy-9rbxf hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/kube-proxy-njzgk hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/kube-proxy-rvmxl hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/kube-proxy-vp7xj hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/retina-agent-cgv48 hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/retina-agent-gjxk8 hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/retina-agent-js76w hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/retina-agent-lfn7d hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/retina-agent-qc9bs hostPID=False, hostNetwork=True Pod uses hostNetwork kube-system pod/retina-agent-wlt7b hostPID=False, hostNetwork=True Category: Pods Severity: High Recommendation: Avoid using hostPID or hostNetwork unless strictly required. These settings reduce isolation and can expose the host. URL: https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline SEC003 - Pods Running as Root Total Issues: 380 Message Namespace Resource ------- --------- -------- Container runs as root or has no runAsUser set aks-istio-ingress pod/aks-istio-ingressgateway-external-asm-1-23… Container runs as root or has no runAsUser set aks-istio-ingress pod/aks-istio-ingressgateway-external-asm-1-23… Container runs as root or has no runAsUser set aks-istio-ingress pod/aks-istio-ingressgateway-external-asm-1-23… Container runs as root or has no runAsUser set aks-istio-ingress pod/aks-istio-ingressgateway-external-asm-1-23… Container discovery runs as root or has no runAsUser set aks-istio-system pod/istiod-asm-1-23-7744d5fbf4-9572m Container runs as root or has no runAsUser set aks-istio-system pod/istiod-asm-1-23-7744d5fbf4-9572m Container runs as root or has no runAsUser set aks-istio-system pod/istiod-asm-1-23-7744d5fbf4-9572m Container discovery runs as root or has no runAsUser set aks-istio-system pod/istiod-asm-1-23-7744d5fbf4-rqzvt Container runs as root or has no runAsUser set aks-istio-system pod/istiod-asm-1-23-7744d5fbf4-rqzvt Container runs as root or has no runAsUser set aks-istio-system pod/istiod-asm-1-23-7744d5fbf4-rqzvt Container runs as root or has no runAsUser set app-routing-system pod/nginx-69fcb489fd-4wgk9 Container runs as root or has no runAsUser set app-routing-system pod/nginx-69fcb489fd-4wgk9 Container runs as root or has no runAsUser set app-routing-system pod/nginx-69fcb489fd-64v6k Container runs as root or has no runAsUser set app-routing-system pod/nginx-69fcb489fd-64v6k Container webserver-simple runs as root or has no runAsUser set argo-rollouts pod/simple-deployment-74fd649f8d-996vt Container runs as root or has no runAsUser set argo-rollouts pod/simple-deployment-74fd649f8d-996vt Container runs as root or has no runAsUser set argo-rollouts pod/simple-deployment-74fd649f8d-996vt Container webserver-simple runs as root or has no runAsUser set argo-workflows pod/simple-deployment-74fd649f8d-24t56 Container runs as root or has no runAsUser set argo-workflows pod/simple-deployment-74fd649f8d-24t56 Container runs as root or has no runAsUser set argo-workflows pod/simple-deployment-74fd649f8d-24t56 Container argocd-application-controller runs as root or has no runAsUser set argocd pod/argocd-application-controller-0 Container runs as root or has no runAsUser set argocd pod/argocd-application-controller-0 Container runs as root or has no runAsUser set argocd pod/argocd-application-controller-0 Container argocd-applicationset-controller runs as root or has no runAsUser set argocd pod/argocd-applicationset-controller-6fdf84dbb… Container runs as root or has no runAsUser set argocd pod/argocd-applicationset-controller-6fdf84dbb… Container runs as root or has no runAsUser set argocd pod/argocd-applicationset-controller-6fdf84dbb… Container dex runs as root or has no runAsUser set argocd pod/argocd-dex-server-556c76889-h4kxj Container copyutil runs as root or has no runAsUser set argocd pod/argocd-dex-server-556c76889-h4kxj Container runs as root or has no runAsUser set argocd pod/argocd-dex-server-556c76889-h4kxj Container argocd-notifications-controller runs as root or has no runAsUser set argocd pod/argocd-notifications-controller-6ff6bf8dd6… Container runs as root or has no runAsUser set argocd pod/argocd-notifications-controller-6ff6bf8dd6… Container runs as root or has no runAsUser set argocd pod/argocd-notifications-controller-6ff6bf8dd6… Container argocd-repo-server runs as root or has no runAsUser set argocd pod/argocd-repo-server-8568fc89b5-sx6ks Container copyutil runs as root or has no runAsUser set argocd pod/argocd-repo-server-8568fc89b5-sx6ks Container runs as root or has no runAsUser set argocd pod/argocd-repo-server-8568fc89b5-sx6ks Container argocd-repo-server runs as root or has no runAsUser set argocd pod/argocd-repo-server-8568fc89b5-xrzzn Container copyutil runs as root or has no runAsUser set argocd pod/argocd-repo-server-8568fc89b5-xrzzn Container runs as root or has no runAsUser set argocd pod/argocd-repo-server-8568fc89b5-xrzzn Container argocd-server runs as root or has no runAsUser set argocd pod/argocd-server-54f9645b87-k4rz8 Container runs as root or has no runAsUser set argocd pod/argocd-server-54f9645b87-k4rz8 Container runs as root or has no runAsUser set argocd pod/argocd-server-54f9645b87-k4rz8 Container argocd-server runs as root or has no runAsUser set argocd pod/argocd-server-54f9645b87-wwzgz Container runs as root or has no runAsUser set argocd pod/argocd-server-54f9645b87-wwzgz Container runs as root or has no runAsUser set argocd pod/argocd-server-54f9645b87-wwzgz Container webserver-simple runs as root or has no runAsUser set cert-manager pod/simple-deployment-74fd649f8d-7cht8 Container runs as root or has no runAsUser set cert-manager pod/simple-deployment-74fd649f8d-7cht8 Container runs as root or has no runAsUser set cert-manager pod/simple-deployment-74fd649f8d-7cht8 Container runs as root or has no runAsUser set gatekeeper-system pod/gatekeeper-audit-77858c8f69-7k782 Container runs as root or has no runAsUser set gatekeeper-system pod/gatekeeper-audit-77858c8f69-7k782 Container runs as root or has no runAsUser set gatekeeper-system pod/gatekeeper-controller-6f97954b4b-7tbnr Container runs as root or has no runAsUser set gatekeeper-system pod/gatekeeper-controller-6f97954b4b-7tbnr Container runs as root or has no runAsUser set gatekeeper-system pod/gatekeeper-controller-6f97954b4b-gwrgg Container runs as root or has no runAsUser set gatekeeper-system pod/gatekeeper-controller-6f97954b4b-gwrgg Container webserver-simple runs as root or has no runAsUser set grafana pod/simple-deployment-74fd649f8d-l7wrd Container runs as root or has no runAsUser set grafana pod/simple-deployment-74fd649f8d-l7wrd Container runs as root or has no runAsUser set grafana pod/simple-deployment-74fd649f8d-l7wrd Container kiali runs as root or has no runAsUser set kiali-operator pod/kiali-5b88cfb6f8-cm8dz Container runs as root or has no runAsUser set kiali-operator pod/kiali-5b88cfb6f8-cm8dz Container runs as root or has no runAsUser set kiali-operator pod/kiali-5b88cfb6f8-cm8dz Container operator runs as root or has no runAsUser set kiali-operator pod/kiali-operator-696bd54db-mr8md Container runs as root or has no runAsUser set kiali-operator pod/kiali-operator-696bd54db-mr8md Container runs as root or has no runAsUser set kiali-operator pod/kiali-operator-696bd54db-mr8md Container node-driver-registrar runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-2l2wl Container secrets-store runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-2l2wl Container liveness-probe runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-2l2wl Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-2l2wl Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-2l2wl Container node-driver-registrar runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-6w2vp Container secrets-store runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-6w2vp Container liveness-probe runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-6w2vp Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-6w2vp Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-6w2vp Container node-driver-registrar runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-7879c Container secrets-store runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-7879c Container liveness-probe runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-7879c Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-7879c Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-7879c Container node-driver-registrar runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-m8m29 Container secrets-store runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-m8m29 Container liveness-probe runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-m8m29 Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-m8m29 Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-m8m29 Container node-driver-registrar runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-vnmcd Container secrets-store runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-vnmcd Container liveness-probe runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-vnmcd Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-vnmcd Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-vnmcd Container node-driver-registrar runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-zrfbz Container secrets-store runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-zrfbz Container liveness-probe runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-zrfbz Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-zrfbz Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-csi-driver-zrfbz Container provider-azure-installer runs as root or has no runAsUser set kube-system pod/aks-secrets-store-provider-azure-68nhw Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-provider-azure-68nhw Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-provider-azure-68nhw Container provider-azure-installer runs as root or has no runAsUser set kube-system pod/aks-secrets-store-provider-azure-7bqmn Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-provider-azure-7bqmn Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-provider-azure-7bqmn Container provider-azure-installer runs as root or has no runAsUser set kube-system pod/aks-secrets-store-provider-azure-7r458 Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-provider-azure-7r458 Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-provider-azure-7r458 Container provider-azure-installer runs as root or has no runAsUser set kube-system pod/aks-secrets-store-provider-azure-k9tdc Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-provider-azure-k9tdc Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-provider-azure-k9tdc Container provider-azure-installer runs as root or has no runAsUser set kube-system pod/aks-secrets-store-provider-azure-n952g Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-provider-azure-n952g Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-provider-azure-n952g Container provider-azure-installer runs as root or has no runAsUser set kube-system pod/aks-secrets-store-provider-azure-njpqh Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-provider-azure-njpqh Container runs as root or has no runAsUser set kube-system pod/aks-secrets-store-provider-azure-njpqh Container ama-logs runs as root or has no runAsUser set kube-system pod/ama-logs-4v8mz Container ama-logs-prometheus runs as root or has no runAsUser set kube-system pod/ama-logs-4v8mz Container runs as root or has no runAsUser set kube-system pod/ama-logs-4v8mz Container runs as root or has no runAsUser set kube-system pod/ama-logs-4v8mz Container ama-logs runs as root or has no runAsUser set kube-system pod/ama-logs-5vr2w Container ama-logs-prometheus runs as root or has no runAsUser set kube-system pod/ama-logs-5vr2w Container runs as root or has no runAsUser set kube-system pod/ama-logs-5vr2w Container runs as root or has no runAsUser set kube-system pod/ama-logs-5vr2w Container ama-logs runs as root or has no runAsUser set kube-system pod/ama-logs-fmd7b Container ama-logs-prometheus runs as root or has no runAsUser set kube-system pod/ama-logs-fmd7b Container runs as root or has no runAsUser set kube-system pod/ama-logs-fmd7b Container runs as root or has no runAsUser set kube-system pod/ama-logs-fmd7b Container ama-logs runs as root or has no runAsUser set kube-system pod/ama-logs-fpkw6 Container ama-logs-prometheus runs as root or has no runAsUser set kube-system pod/ama-logs-fpkw6 Container runs as root or has no runAsUser set kube-system pod/ama-logs-fpkw6 Container runs as root or has no runAsUser set kube-system pod/ama-logs-fpkw6 Container ama-logs runs as root or has no runAsUser set kube-system pod/ama-logs-gqs28 Container ama-logs-prometheus runs as root or has no runAsUser set kube-system pod/ama-logs-gqs28 Container runs as root or has no runAsUser set kube-system pod/ama-logs-gqs28 Container runs as root or has no runAsUser set kube-system pod/ama-logs-gqs28 Container ama-logs runs as root or has no runAsUser set kube-system pod/ama-logs-ndxrw Container ama-logs-prometheus runs as root or has no runAsUser set kube-system pod/ama-logs-ndxrw Container runs as root or has no runAsUser set kube-system pod/ama-logs-ndxrw Container runs as root or has no runAsUser set kube-system pod/ama-logs-ndxrw Container ama-logs runs as root or has no runAsUser set kube-system pod/ama-logs-rs-64765bd4b9-ldxwl Container runs as root or has no runAsUser set kube-system pod/ama-logs-rs-64765bd4b9-ldxwl Container runs as root or has no runAsUser set kube-system pod/ama-logs-rs-64765bd4b9-ldxwl Container prometheus-collector runs as root or has no runAsUser set kube-system pod/ama-metrics-7f878d975f-hlggb Container addon-token-adapter runs as root or has no runAsUser set kube-system pod/ama-metrics-7f878d975f-hlggb Container runs as root or has no runAsUser set kube-system pod/ama-metrics-7f878d975f-hlggb Container runs as root or has no runAsUser set kube-system pod/ama-metrics-7f878d975f-hlggb Container prometheus-collector runs as root or has no runAsUser set kube-system pod/ama-metrics-7f878d975f-q2mlg Container addon-token-adapter runs as root or has no runAsUser set kube-system pod/ama-metrics-7f878d975f-q2mlg Container runs as root or has no runAsUser set kube-system pod/ama-metrics-7f878d975f-q2mlg Container runs as root or has no runAsUser set kube-system pod/ama-metrics-7f878d975f-q2mlg Container prometheus-collector runs as root or has no runAsUser set kube-system pod/ama-metrics-node-2ssrw Container addon-token-adapter runs as root or has no runAsUser set kube-system pod/ama-metrics-node-2ssrw Container runs as root or has no runAsUser set kube-system pod/ama-metrics-node-2ssrw Container runs as root or has no runAsUser set kube-system pod/ama-metrics-node-2ssrw Container prometheus-collector runs as root or has no runAsUser set kube-system pod/ama-metrics-node-6kkz8 Container addon-token-adapter runs as root or has no runAsUser set kube-system pod/ama-metrics-node-6kkz8 Container runs as root or has no runAsUser set kube-system pod/ama-metrics-node-6kkz8 Container runs as root or has no runAsUser set kube-system pod/ama-metrics-node-6kkz8 Container prometheus-collector runs as root or has no runAsUser set kube-system pod/ama-metrics-node-9h44h Container addon-token-adapter runs as root or has no runAsUser set kube-system pod/ama-metrics-node-9h44h Container runs as root or has no runAsUser set kube-system pod/ama-metrics-node-9h44h Container runs as root or has no runAsUser set kube-system pod/ama-metrics-node-9h44h Container prometheus-collector runs as root or has no runAsUser set kube-system pod/ama-metrics-node-lhk42 Container addon-token-adapter runs as root or has no runAsUser set kube-system pod/ama-metrics-node-lhk42 Container runs as root or has no runAsUser set kube-system pod/ama-metrics-node-lhk42 Container runs as root or has no runAsUser set kube-system pod/ama-metrics-node-lhk42 Container prometheus-collector runs as root or has no runAsUser set kube-system pod/ama-metrics-node-nm5bf Container addon-token-adapter runs as root or has no runAsUser set kube-system pod/ama-metrics-node-nm5bf Container runs as root or has no runAsUser set kube-system pod/ama-metrics-node-nm5bf Container runs as root or has no runAsUser set kube-system pod/ama-metrics-node-nm5bf Container prometheus-collector runs as root or has no runAsUser set kube-system pod/ama-metrics-node-pqcz5 Container addon-token-adapter runs as root or has no runAsUser set kube-system pod/ama-metrics-node-pqcz5 Container runs as root or has no runAsUser set kube-system pod/ama-metrics-node-pqcz5 Container runs as root or has no runAsUser set kube-system pod/ama-metrics-node-pqcz5 Container targetallocator runs as root or has no runAsUser set kube-system pod/ama-metrics-operator-targets-66fb46c8d6-vs… Container config-reader runs as root or has no runAsUser set kube-system pod/ama-metrics-operator-targets-66fb46c8d6-vs… Container runs as root or has no runAsUser set kube-system pod/ama-metrics-operator-targets-66fb46c8d6-vs… Container runs as root or has no runAsUser set kube-system pod/ama-metrics-operator-targets-66fb46c8d6-vs… Container azure-ip-masq-agent runs as root or has no runAsUser set kube-system pod/azure-ip-masq-agent-4522j Container runs as root or has no runAsUser set kube-system pod/azure-ip-masq-agent-4522j Container runs as root or has no runAsUser set kube-system pod/azure-ip-masq-agent-4522j Container azure-ip-masq-agent runs as root or has no runAsUser set kube-system pod/azure-ip-masq-agent-4c7cr Container runs as root or has no runAsUser set kube-system pod/azure-ip-masq-agent-4c7cr Container runs as root or has no runAsUser set kube-system pod/azure-ip-masq-agent-4c7cr Container azure-ip-masq-agent runs as root or has no runAsUser set kube-system pod/azure-ip-masq-agent-78rnw Container runs as root or has no runAsUser set kube-system pod/azure-ip-masq-agent-78rnw Container runs as root or has no runAsUser set kube-system pod/azure-ip-masq-agent-78rnw Container azure-ip-masq-agent runs as root or has no runAsUser set kube-system pod/azure-ip-masq-agent-84ltn Container runs as root or has no runAsUser set kube-system pod/azure-ip-masq-agent-84ltn Container runs as root or has no runAsUser set kube-system pod/azure-ip-masq-agent-84ltn Container azure-ip-masq-agent runs as root or has no runAsUser set kube-system pod/azure-ip-masq-agent-t4c2w Container runs as root or has no runAsUser set kube-system pod/azure-ip-masq-agent-t4c2w Container runs as root or has no runAsUser set kube-system pod/azure-ip-masq-agent-t4c2w Container azure-ip-masq-agent runs as root or has no runAsUser set kube-system pod/azure-ip-masq-agent-vbdd8 Container runs as root or has no runAsUser set kube-system pod/azure-ip-masq-agent-vbdd8 Container runs as root or has no runAsUser set kube-system pod/azure-ip-masq-agent-vbdd8 Container azure-npm runs as root or has no runAsUser set kube-system pod/azure-npm-jsbbh Container block-wireserver runs as root or has no runAsUser set kube-system pod/azure-npm-jsbbh Container runs as root or has no runAsUser set kube-system pod/azure-npm-jsbbh Container azure-npm runs as root or has no runAsUser set kube-system pod/azure-npm-lp6sf Container block-wireserver runs as root or has no runAsUser set kube-system pod/azure-npm-lp6sf Container runs as root or has no runAsUser set kube-system pod/azure-npm-lp6sf Container azure-npm runs as root or has no runAsUser set kube-system pod/azure-npm-nv6xx Container block-wireserver runs as root or has no runAsUser set kube-system pod/azure-npm-nv6xx Container runs as root or has no runAsUser set kube-system pod/azure-npm-nv6xx Container azure-npm runs as root or has no runAsUser set kube-system pod/azure-npm-p6fpw Container block-wireserver runs as root or has no runAsUser set kube-system pod/azure-npm-p6fpw Container runs as root or has no runAsUser set kube-system pod/azure-npm-p6fpw Container azure-npm runs as root or has no runAsUser set kube-system pod/azure-npm-vsrfp Container block-wireserver runs as root or has no runAsUser set kube-system pod/azure-npm-vsrfp Container runs as root or has no runAsUser set kube-system pod/azure-npm-vsrfp Container azure-npm runs as root or has no runAsUser set kube-system pod/azure-npm-z8mcz Container block-wireserver runs as root or has no runAsUser set kube-system pod/azure-npm-z8mcz Container runs as root or has no runAsUser set kube-system pod/azure-npm-z8mcz Container azure-policy runs as root or has no runAsUser set kube-system pod/azure-policy-698f7c86b4-nnff2 Container runs as root or has no runAsUser set kube-system pod/azure-policy-698f7c86b4-nnff2 Container runs as root or has no runAsUser set kube-system pod/azure-policy-698f7c86b4-nnff2 Container runs as root or has no runAsUser set kube-system pod/azure-policy-webhook-764fdf5cd5-6vrc5 Container runs as root or has no runAsUser set kube-system pod/azure-policy-webhook-764fdf5cd5-6vrc5 Container runs as root or has no runAsUser set kube-system pod/azure-wi-webhook-controller-manager-7f95f6… Container runs as root or has no runAsUser set kube-system pod/azure-wi-webhook-controller-manager-7f95f6… Container runs as root or has no runAsUser set kube-system pod/azure-wi-webhook-controller-manager-7f95f6… Container runs as root or has no runAsUser set kube-system pod/azure-wi-webhook-controller-manager-7f95f6… Container cloud-node-manager runs as root or has no runAsUser set kube-system pod/cloud-node-manager-57rk2 Container runs as root or has no runAsUser set kube-system pod/cloud-node-manager-57rk2 Container runs as root or has no runAsUser set kube-system pod/cloud-node-manager-57rk2 Container cloud-node-manager runs as root or has no runAsUser set kube-system pod/cloud-node-manager-gl5xl Container runs as root or has no runAsUser set kube-system pod/cloud-node-manager-gl5xl Container runs as root or has no runAsUser set kube-system pod/cloud-node-manager-gl5xl Container cloud-node-manager runs as root or has no runAsUser set kube-system pod/cloud-node-manager-l7v5j Container runs as root or has no runAsUser set kube-system pod/cloud-node-manager-l7v5j Container runs as root or has no runAsUser set kube-system pod/cloud-node-manager-l7v5j Container cloud-node-manager runs as root or has no runAsUser set kube-system pod/cloud-node-manager-lr49d Container runs as root or has no runAsUser set kube-system pod/cloud-node-manager-lr49d Container runs as root or has no runAsUser set kube-system pod/cloud-node-manager-lr49d Container cloud-node-manager runs as root or has no runAsUser set kube-system pod/cloud-node-manager-n5qdr Container runs as root or has no runAsUser set kube-system pod/cloud-node-manager-n5qdr Container runs as root or has no runAsUser set kube-system pod/cloud-node-manager-n5qdr Container cloud-node-manager runs as root or has no runAsUser set kube-system pod/cloud-node-manager-xwrrd Container runs as root or has no runAsUser set kube-system pod/cloud-node-manager-xwrrd Container runs as root or has no runAsUser set kube-system pod/cloud-node-manager-xwrrd Container coredns runs as root or has no runAsUser set kube-system pod/coredns-658d6d767d-757xp Container runs as root or has no runAsUser set kube-system pod/coredns-658d6d767d-757xp Container runs as root or has no runAsUser set kube-system pod/coredns-658d6d767d-757xp Container coredns runs as root or has no runAsUser set kube-system pod/coredns-658d6d767d-pt6l6 Container runs as root or has no runAsUser set kube-system pod/coredns-658d6d767d-pt6l6 Container runs as root or has no runAsUser set kube-system pod/coredns-658d6d767d-pt6l6 Container autoscaler runs as root or has no runAsUser set kube-system pod/coredns-autoscaler-5955d6bbdb-mz9kn Container runs as root or has no runAsUser set kube-system pod/coredns-autoscaler-5955d6bbdb-mz9kn Container runs as root or has no runAsUser set kube-system pod/coredns-autoscaler-5955d6bbdb-mz9kn Container runs as root or has no runAsUser set kube-system pod/eraser-controller-manager-864f9476c8-lhdfc Container runs as root or has no runAsUser set kube-system pod/eraser-controller-manager-864f9476c8-lhdfc Container extension-agent runs as root or has no runAsUser set kube-system pod/extension-agent-66c4486d68-46cqq Container fluent-bit runs as root or has no runAsUser set kube-system pod/extension-agent-66c4486d68-46cqq Container runs as root or has no runAsUser set kube-system pod/extension-agent-66c4486d68-46cqq Container runs as root or has no runAsUser set kube-system pod/extension-agent-66c4486d68-46cqq Container manager runs as root or has no runAsUser set kube-system pod/extension-operator-d95fd449b-ssrcx Container fluent-bit runs as root or has no runAsUser set kube-system pod/extension-operator-d95fd449b-ssrcx Container runs as root or has no runAsUser set kube-system pod/extension-operator-d95fd449b-ssrcx Container runs as root or has no runAsUser set kube-system pod/extension-operator-d95fd449b-ssrcx Container konnectivity-agent runs as root or has no runAsUser set kube-system pod/konnectivity-agent-9f65c5cd8-fzm5q Container runs as root or has no runAsUser set kube-system pod/konnectivity-agent-9f65c5cd8-fzm5q Container runs as root or has no runAsUser set kube-system pod/konnectivity-agent-9f65c5cd8-fzm5q Container konnectivity-agent runs as root or has no runAsUser set kube-system pod/konnectivity-agent-9f65c5cd8-t9qdj Container runs as root or has no runAsUser set kube-system pod/konnectivity-agent-9f65c5cd8-t9qdj Container runs as root or has no runAsUser set kube-system pod/konnectivity-agent-9f65c5cd8-t9qdj Container autoscaler runs as root or has no runAsUser set kube-system pod/konnectivity-agent-autoscaler-cdfc7c46-vct… Container runs as root or has no runAsUser set kube-system pod/konnectivity-agent-autoscaler-cdfc7c46-vct… Container runs as root or has no runAsUser set kube-system pod/konnectivity-agent-autoscaler-cdfc7c46-vct… Container kube-proxy runs as root or has no runAsUser set kube-system pod/kube-proxy-26xkd Container kube-proxy-bootstrap runs as root or has no runAsUser set kube-system pod/kube-proxy-26xkd Container runs as root or has no runAsUser set kube-system pod/kube-proxy-26xkd Container kube-proxy runs as root or has no runAsUser set kube-system pod/kube-proxy-6mrql Container kube-proxy-bootstrap runs as root or has no runAsUser set kube-system pod/kube-proxy-6mrql Container runs as root or has no runAsUser set kube-system pod/kube-proxy-6mrql Container kube-proxy runs as root or has no runAsUser set kube-system pod/kube-proxy-9rbxf Container kube-proxy-bootstrap runs as root or has no runAsUser set kube-system pod/kube-proxy-9rbxf Container runs as root or has no runAsUser set kube-system pod/kube-proxy-9rbxf Container kube-proxy runs as root or has no runAsUser set kube-system pod/kube-proxy-njzgk Container kube-proxy-bootstrap runs as root or has no runAsUser set kube-system pod/kube-proxy-njzgk Container runs as root or has no runAsUser set kube-system pod/kube-proxy-njzgk Container kube-proxy runs as root or has no runAsUser set kube-system pod/kube-proxy-rvmxl Container kube-proxy-bootstrap runs as root or has no runAsUser set kube-system pod/kube-proxy-rvmxl Container runs as root or has no runAsUser set kube-system pod/kube-proxy-rvmxl Container kube-proxy runs as root or has no runAsUser set kube-system pod/kube-proxy-vp7xj Container kube-proxy-bootstrap runs as root or has no runAsUser set kube-system pod/kube-proxy-vp7xj Container runs as root or has no runAsUser set kube-system pod/kube-proxy-vp7xj Container runs as root or has no runAsUser set kube-system pod/metrics-server-5f9ccffcc4-jsrjl Container runs as root or has no runAsUser set kube-system pod/metrics-server-5f9ccffcc4-jsrjl Container runs as root or has no runAsUser set kube-system pod/metrics-server-5f9ccffcc4-v88pw Container runs as root or has no runAsUser set kube-system pod/metrics-server-5f9ccffcc4-v88pw Container microsoft-defender-pod-collector runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-6xdfq Container microsoft-defender-low-level-collector runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-6xdfq Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-6xdfq Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-6xdfq Container microsoft-defender-pod-collector runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-89l74 Container microsoft-defender-low-level-collector runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-89l74 Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-89l74 Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-89l74 Container microsoft-defender-pod-collector runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-d7gwk Container microsoft-defender-low-level-collector runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-d7gwk Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-d7gwk Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-d7gwk Container microsoft-defender-pod-collector runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-mdcs8 Container microsoft-defender-low-level-collector runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-mdcs8 Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-mdcs8 Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-mdcs8 Container microsoft-defender-pod-collector runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-q6d6c Container microsoft-defender-low-level-collector runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-q6d6c Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-q6d6c Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-q6d6c Container microsoft-defender-pod-collector runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-wb5dm Container microsoft-defender-low-level-collector runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-wb5dm Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-wb5dm Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-ds-wb5dm Container microsoft-defender-pod-collector runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-misc-7df67764… Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-misc-7df67764… Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-collector-misc-7df67764… Container microsoft-defender-publisher runs as root or has no runAsUser set kube-system pod/microsoft-defender-publisher-ds-2ql5b Container old-file-cleaner runs as root or has no runAsUser set kube-system pod/microsoft-defender-publisher-ds-2ql5b Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-publisher-ds-2ql5b Container microsoft-defender-publisher runs as root or has no runAsUser set kube-system pod/microsoft-defender-publisher-ds-2rsrw Container old-file-cleaner runs as root or has no runAsUser set kube-system pod/microsoft-defender-publisher-ds-2rsrw Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-publisher-ds-2rsrw Container microsoft-defender-publisher runs as root or has no runAsUser set kube-system pod/microsoft-defender-publisher-ds-jj6dh Container old-file-cleaner runs as root or has no runAsUser set kube-system pod/microsoft-defender-publisher-ds-jj6dh Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-publisher-ds-jj6dh Container microsoft-defender-publisher runs as root or has no runAsUser set kube-system pod/microsoft-defender-publisher-ds-l5crs Container old-file-cleaner runs as root or has no runAsUser set kube-system pod/microsoft-defender-publisher-ds-l5crs Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-publisher-ds-l5crs Container microsoft-defender-publisher runs as root or has no runAsUser set kube-system pod/microsoft-defender-publisher-ds-lfk8h Container old-file-cleaner runs as root or has no runAsUser set kube-system pod/microsoft-defender-publisher-ds-lfk8h Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-publisher-ds-lfk8h Container microsoft-defender-publisher runs as root or has no runAsUser set kube-system pod/microsoft-defender-publisher-ds-vz2c6 Container old-file-cleaner runs as root or has no runAsUser set kube-system pod/microsoft-defender-publisher-ds-vz2c6 Container runs as root or has no runAsUser set kube-system pod/microsoft-defender-publisher-ds-vz2c6 Container retina runs as root or has no runAsUser set kube-system pod/retina-agent-cgv48 Container retina-agent-init runs as root or has no runAsUser set kube-system pod/retina-agent-cgv48 Container runs as root or has no runAsUser set kube-system pod/retina-agent-cgv48 Container retina runs as root or has no runAsUser set kube-system pod/retina-agent-gjxk8 Container retina-agent-init runs as root or has no runAsUser set kube-system pod/retina-agent-gjxk8 Container runs as root or has no runAsUser set kube-system pod/retina-agent-gjxk8 Container retina runs as root or has no runAsUser set kube-system pod/retina-agent-js76w Container retina-agent-init runs as root or has no runAsUser set kube-system pod/retina-agent-js76w Container runs as root or has no runAsUser set kube-system pod/retina-agent-js76w Container retina runs as root or has no runAsUser set kube-system pod/retina-agent-lfn7d Container retina-agent-init runs as root or has no runAsUser set kube-system pod/retina-agent-lfn7d Container runs as root or has no runAsUser set kube-system pod/retina-agent-lfn7d Container retina runs as root or has no runAsUser set kube-system pod/retina-agent-qc9bs Container retina-agent-init runs as root or has no runAsUser set kube-system pod/retina-agent-qc9bs Container runs as root or has no runAsUser set kube-system pod/retina-agent-qc9bs Container retina runs as root or has no runAsUser set kube-system pod/retina-agent-wlt7b Container retina-agent-init runs as root or has no runAsUser set kube-system pod/retina-agent-wlt7b Container runs as root or has no runAsUser set kube-system pod/retina-agent-wlt7b Container webserver-simple runs as root or has no runAsUser set kubeview pod/simple-deployment-74fd649f8d-qxp2r Container runs as root or has no runAsUser set kubeview pod/simple-deployment-74fd649f8d-qxp2r Container runs as root or has no runAsUser set kubeview pod/simple-deployment-74fd649f8d-qxp2r Container webserver-simple runs as root or has no runAsUser set linkerd pod/simple-deployment-74fd649f8d-mkmst Container runs as root or has no runAsUser set linkerd pod/simple-deployment-74fd649f8d-mkmst Container runs as root or has no runAsUser set linkerd pod/simple-deployment-74fd649f8d-mkmst Container webserver-simple runs as root or has no runAsUser set nginx pod/simple-deployment-74fd649f8d-hlcdk Container runs as root or has no runAsUser set nginx pod/simple-deployment-74fd649f8d-hlcdk Container runs as root or has no runAsUser set nginx pod/simple-deployment-74fd649f8d-hlcdk Container order-service runs as root or has no runAsUser set pets pod/order-service-6c5bfb6946-b58xq Container wait-for-rabbitmq runs as root or has no runAsUser set pets pod/order-service-6c5bfb6946-b58xq Container istio-init runs as root or has no runAsUser set pets pod/order-service-6c5bfb6946-b58xq Container runs as root or has no runAsUser set pets pod/order-service-6c5bfb6946-b58xq Container product-service runs as root or has no runAsUser set pets pod/product-service-5dd87dfb8-ssfxc Container istio-init runs as root or has no runAsUser set pets pod/product-service-5dd87dfb8-ssfxc Container runs as root or has no runAsUser set pets pod/product-service-5dd87dfb8-ssfxc Container rabbitmq runs as root or has no runAsUser set pets pod/rabbitmq-0 Container istio-init runs as root or has no runAsUser set pets pod/rabbitmq-0 Container runs as root or has no runAsUser set pets pod/rabbitmq-0 Container store-front runs as root or has no runAsUser set pets pod/store-front-658994fd95-pk9qn Container istio-init runs as root or has no runAsUser set pets pod/store-front-658994fd95-pk9qn Container runs as root or has no runAsUser set pets pod/store-front-658994fd95-pk9qn Container webserver-simple runs as root or has no runAsUser set prometheus pod/simple-deployment-74fd649f8d-2x6w5 Container runs as root or has no runAsUser set prometheus pod/simple-deployment-74fd649f8d-2x6w5 Container runs as root or has no runAsUser set prometheus pod/simple-deployment-74fd649f8d-2x6w5 Container webserver-simple runs as root or has no runAsUser set sealed-secrets pod/simple-deployment-74fd649f8d-stktp Container runs as root or has no runAsUser set sealed-secrets pod/simple-deployment-74fd649f8d-stktp Container runs as root or has no runAsUser set sealed-secrets pod/simple-deployment-74fd649f8d-stktp Container webserver-simple runs as root or has no runAsUser set test pod/simple-deployment-74fd649f8d-lhlkx Container runs as root or has no runAsUser set test pod/simple-deployment-74fd649f8d-lhlkx Container runs as root or has no runAsUser set test pod/simple-deployment-74fd649f8d-lhlkx Category: Pod Security Severity: High Recommendation: Avoid running pods as root by explicitly setting runAsUser to a non-zero UID in pod or container securityContext. URL: https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline SEC004 - Privileged Containers Total Issues: 37 Message Namespace Resource Value ------- --------- -------- ----- Container 'secrets-store' is running in privileged mode kube-system pod/aks-secrets-store-csi-driver-2l2wl privileged=true Container 'secrets-store' is running in privileged mode kube-system pod/aks-secrets-store-csi-driver-6w2vp privileged=true Container 'secrets-store' is running in privileged mode kube-system pod/aks-secrets-store-csi-driver-7879c privileged=true Container 'secrets-store' is running in privileged mode kube-system pod/aks-secrets-store-csi-driver-m8m29 privileged=true Container 'secrets-store' is running in privileged mode kube-system pod/aks-secrets-store-csi-driver-vnmcd privileged=true Container 'secrets-store' is running in privileged mode kube-system pod/aks-secrets-store-csi-driver-zrfbz privileged=true Container 'ama-logs' is running in privileged mode kube-system pod/ama-logs-4v8mz privileged=true Container 'ama-logs-prometheus' is running in privileged mode kube-system pod/ama-logs-4v8mz privileged=true Container 'ama-logs' is running in privileged mode kube-system pod/ama-logs-5vr2w privileged=true Container 'ama-logs-prometheus' is running in privileged mode kube-system pod/ama-logs-5vr2w privileged=true Container 'ama-logs' is running in privileged mode kube-system pod/ama-logs-fmd7b privileged=true Container 'ama-logs-prometheus' is running in privileged mode kube-system pod/ama-logs-fmd7b privileged=true Container 'ama-logs' is running in privileged mode kube-system pod/ama-logs-fpkw6 privileged=true Container 'ama-logs-prometheus' is running in privileged mode kube-system pod/ama-logs-fpkw6 privileged=true Container 'ama-logs' is running in privileged mode kube-system pod/ama-logs-gqs28 privileged=true Container 'ama-logs-prometheus' is running in privileged mode kube-system pod/ama-logs-gqs28 privileged=true Container 'ama-logs' is running in privileged mode kube-system pod/ama-logs-ndxrw privileged=true Container 'ama-logs-prometheus' is running in privileged mode kube-system pod/ama-logs-ndxrw privileged=true Container 'ama-logs' is running in privileged mode kube-system pod/ama-logs-rs-64765bd4b9-ldxwl privileged=true Container 'kube-proxy' is running in privileged mode kube-system pod/kube-proxy-26xkd privileged=true Container 'kube-proxy-bootstrap' is running in privileged mode kube-system pod/kube-proxy-26xkd privileged=true Container 'kube-proxy' is running in privileged mode kube-system pod/kube-proxy-6mrql privileged=true Container 'kube-proxy-bootstrap' is running in privileged mode kube-system pod/kube-proxy-6mrql privileged=true Container 'kube-proxy' is running in privileged mode kube-system pod/kube-proxy-9rbxf privileged=true Container 'kube-proxy-bootstrap' is running in privileged mode kube-system pod/kube-proxy-9rbxf privileged=true Container 'kube-proxy' is running in privileged mode kube-system pod/kube-proxy-njzgk privileged=true Container 'kube-proxy-bootstrap' is running in privileged mode kube-system pod/kube-proxy-njzgk privileged=true Container 'kube-proxy' is running in privileged mode kube-system pod/kube-proxy-rvmxl privileged=true Container 'kube-proxy-bootstrap' is running in privileged mode kube-system pod/kube-proxy-rvmxl privileged=true Container 'kube-proxy' is running in privileged mode kube-system pod/kube-proxy-vp7xj privileged=true Container 'kube-proxy-bootstrap' is running in privileged mode kube-system pod/kube-proxy-vp7xj privileged=true Container 'retina-agent-init' is running in privileged mode kube-system pod/retina-agent-cgv48 privileged=true Container 'retina-agent-init' is running in privileged mode kube-system pod/retina-agent-gjxk8 privileged=true Container 'retina-agent-init' is running in privileged mode kube-system pod/retina-agent-js76w privileged=true Container 'retina-agent-init' is running in privileged mode kube-system pod/retina-agent-lfn7d privileged=true Container 'retina-agent-init' is running in privileged mode kube-system pod/retina-agent-qc9bs privileged=true Container 'retina-agent-init' is running in privileged mode kube-system pod/retina-agent-wlt7b privileged=true Category: Pod Security Severity: High Recommendation: Avoid using privileged containers unless absolutely necessary, as they grant broad access to host resources. URL: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted SEC005 - Pods Using hostIPC Total Issues: 0 ✅ No issues detected for Pods Using hostIPC. Category: Pod Security Severity: High Recommendation: Avoid using hostIPC in pods unless absolutely required for specific functionality. URL: https://kubernetes.io/docs/concepts/security/pod-security-standards/#host-namespaces SEC006 - Pods Missing Secure Defaults Total Issues: 155 Container Flags Issue --------- ----- ----- controller runAsNonRoot: True, readOnlyRootFilesystem: , allowPrivilegeEscalation: False Missing one or more secure defaults controller runAsNonRoot: True, readOnlyRootFilesystem: , allowPrivilegeEscalation: False Missing one or more secure defaults webserver-simple Missing securityContext No securityContext defined webserver-simple Missing securityContext No securityContext defined argocd-notifications-controller runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults haproxy runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults haproxy runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults haproxy runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults redis runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults sentinel runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults split-brain-fix runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults redis runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults sentinel runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults split-brain-fix runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults redis runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults sentinel runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults split-brain-fix runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults webserver-simple Missing securityContext No securityContext defined webserver-simple Missing securityContext No securityContext defined node-driver-registrar Missing securityContext No securityContext defined secrets-store runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults liveness-probe Missing securityContext No securityContext defined node-driver-registrar Missing securityContext No securityContext defined secrets-store runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults liveness-probe Missing securityContext No securityContext defined node-driver-registrar Missing securityContext No securityContext defined secrets-store runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults liveness-probe Missing securityContext No securityContext defined node-driver-registrar Missing securityContext No securityContext defined secrets-store runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults liveness-probe Missing securityContext No securityContext defined node-driver-registrar Missing securityContext No securityContext defined secrets-store runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults liveness-probe Missing securityContext No securityContext defined node-driver-registrar Missing securityContext No securityContext defined secrets-store runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults liveness-probe Missing securityContext No securityContext defined provider-azure-installer runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: Missing one or more secure defaults provider-azure-installer runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: Missing one or more secure defaults provider-azure-installer runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: Missing one or more secure defaults provider-azure-installer runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: Missing one or more secure defaults provider-azure-installer runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: Missing one or more secure defaults provider-azure-installer runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: Missing one or more secure defaults ama-logs runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults ama-logs-prometheus runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults ama-logs runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults ama-logs-prometheus runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults ama-logs runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults ama-logs-prometheus runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults ama-logs runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults ama-logs-prometheus runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults ama-logs runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults ama-logs-prometheus runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults ama-logs runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults ama-logs-prometheus runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults ama-logs runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults prometheus-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults addon-token-adapter runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults prometheus-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults addon-token-adapter runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults ama-metrics-ksm runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults prometheus-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults addon-token-adapter runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults prometheus-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults addon-token-adapter runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults prometheus-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults addon-token-adapter runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults prometheus-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults addon-token-adapter runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults prometheus-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults addon-token-adapter runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults prometheus-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults addon-token-adapter runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults targetallocator runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults config-reader runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults azure-ip-masq-agent runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults azure-ip-masq-agent runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults azure-ip-masq-agent runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults azure-ip-masq-agent runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults azure-ip-masq-agent runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults azure-ip-masq-agent runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults azure-npm runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: Missing one or more secure defaults azure-npm runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: Missing one or more secure defaults azure-npm runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: Missing one or more secure defaults azure-npm runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: Missing one or more secure defaults azure-npm runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: Missing one or more secure defaults azure-npm runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: Missing one or more secure defaults azure-policy runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults cloud-node-manager runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults cloud-node-manager runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults cloud-node-manager runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults cloud-node-manager runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults cloud-node-manager runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults cloud-node-manager runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults coredns runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults coredns runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults autoscaler runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults extension-agent Missing securityContext No securityContext defined fluent-bit Missing securityContext No securityContext defined manager Missing securityContext No securityContext defined fluent-bit Missing securityContext No securityContext defined keda-admission-webhooks runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults keda-admission-webhooks runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults keda-operator runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults keda-operator runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults keda-operator-metrics-apiserver runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults keda-operator-metrics-apiserver runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False Missing one or more secure defaults konnectivity-agent runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults konnectivity-agent runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults autoscaler runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults kube-proxy runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults kube-proxy runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults kube-proxy runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults kube-proxy runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults kube-proxy runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults kube-proxy runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-pod-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-low-level-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-pod-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-low-level-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-pod-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-low-level-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-pod-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-low-level-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-pod-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-low-level-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-pod-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-low-level-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-pod-collector runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-publisher runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-publisher runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-publisher runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-publisher runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-publisher runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults microsoft-defender-publisher runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults retina runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults retina runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults retina runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults retina runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults retina runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults retina runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults admission-controller runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults admission-controller runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults recommender runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults updater runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: Missing one or more secure defaults webserver-simple Missing securityContext No securityContext defined webserver-simple Missing securityContext No securityContext defined webserver-simple Missing securityContext No securityContext defined order-service Missing securityContext No securityContext defined product-service Missing securityContext No securityContext defined rabbitmq Missing securityContext No securityContext defined store-front Missing securityContext No securityContext defined webserver-simple Missing securityContext No securityContext defined webserver-simple Missing securityContext No securityContext defined webserver-simple Missing securityContext No securityContext defined Category: Pod Security Severity: Medium Recommendation: Set runAsNonRoot=true, readOnlyRootFilesystem=true, and allowPrivilegeEscalation=false for all pods and containers. URL: https://kubernetes.io/docs/concepts/security/pod-security-standards/ SEC007 - Missing Pod Security Admission Labels Total Issues: 32 Audit Issue Namespace Warn ----- ----- --------- ---- N/A No pod security labels 1 N/A N/A No pod security labels 10 N/A N/A No pod security labels 2 N/A N/A No pod security labels 3 N/A N/A No pod security labels 4 N/A N/A No pod security labels 5 N/A N/A No pod security labels 6 N/A N/A No pod security labels 7 N/A N/A No pod security labels 8 N/A N/A No pod security labels 9 N/A N/A No pod security labels aks-istio-egress N/A N/A No pod security labels aks-istio-ingress N/A N/A No pod security labels aks-istio-system N/A N/A No pod security labels app-routing-system N/A N/A No pod security labels argo-rollouts N/A N/A No pod security labels argo-workflows N/A N/A No pod security labels argocd N/A N/A No pod security labels cert-manager N/A N/A No pod security labels default N/A N/A No pod security labels gatekeeper-system N/A N/A No pod security labels grafana N/A N/A No pod security labels kiali-operator N/A N/A No pod security labels kube-node-lease N/A N/A No pod security labels kube-public N/A N/A No pod security labels kube-system N/A N/A No pod security labels kubeview N/A N/A No pod security labels linkerd N/A N/A No pod security labels nginx N/A N/A No pod security labels pets N/A N/A No pod security labels prometheus N/A N/A No pod security labels sealed-secrets N/A N/A No pod security labels test N/A Category: Pod Security Severity: Low Recommendation: Add 'pod-security.kubernetes.io/enforce' labels to your namespaces to enforce Pod Security standards. Use values like 'baseline' or 'restricted'. URL: https://kubernetes.io/docs/concepts/security/pod-security-admission/ SEC008 - Secrets in Environment Variables Total Issues: 20 EnvVar Issue Namespace Pod ------ ----- --------- --- env: REDIS_PASSWORD Secret argocd-redis exposed via env var in container argocd-application-controller argocd pod/argocd-application-controller-0 env: AUTH Secret argocd-redis exposed via env var in container haproxy argocd pod/argocd-redis-ha-haproxy-fb657456c-… env: AUTH Secret argocd-redis exposed via env var in container haproxy argocd pod/argocd-redis-ha-haproxy-fb657456c-… env: AUTH Secret argocd-redis exposed via env var in container haproxy argocd pod/argocd-redis-ha-haproxy-fb657456c-… env: AUTH Secret argocd-redis exposed via env var in container redis argocd pod/argocd-redis-ha-server-0 env: AUTH Secret argocd-redis exposed via env var in container sentinel argocd pod/argocd-redis-ha-server-0 env: AUTH Secret argocd-redis exposed via env var in container split-brain-fix argocd pod/argocd-redis-ha-server-0 env: AUTH Secret argocd-redis exposed via env var in container config-init argocd pod/argocd-redis-ha-server-0 env: AUTH Secret argocd-redis exposed via env var in container redis argocd pod/argocd-redis-ha-server-1 env: AUTH Secret argocd-redis exposed via env var in container sentinel argocd pod/argocd-redis-ha-server-1 env: AUTH Secret argocd-redis exposed via env var in container split-brain-fix argocd pod/argocd-redis-ha-server-1 env: AUTH Secret argocd-redis exposed via env var in container config-init argocd pod/argocd-redis-ha-server-1 env: AUTH Secret argocd-redis exposed via env var in container redis argocd pod/argocd-redis-ha-server-2 env: AUTH Secret argocd-redis exposed via env var in container sentinel argocd pod/argocd-redis-ha-server-2 env: AUTH Secret argocd-redis exposed via env var in container split-brain-fix argocd pod/argocd-redis-ha-server-2 env: AUTH Secret argocd-redis exposed via env var in container config-init argocd pod/argocd-redis-ha-server-2 env: REDIS_PASSWORD Secret argocd-redis exposed via env var in container argocd-repo-server argocd pod/argocd-repo-server-8568fc89b5-sx6ks env: REDIS_PASSWORD Secret argocd-redis exposed via env var in container argocd-repo-server argocd pod/argocd-repo-server-8568fc89b5-xrzzn env: REDIS_PASSWORD Secret argocd-redis exposed via env var in container argocd-server argocd pod/argocd-server-54f9645b87-k4rz8 env: REDIS_PASSWORD Secret argocd-redis exposed via env var in container argocd-server argocd pod/argocd-server-54f9645b87-wwzgz Category: Pod Security Severity: High Recommendation: Avoid exposing secrets in environment variables. Mount secrets as volumes instead. URL: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables SEC009 - Missing Capabilities Drop Total Issues: 42 Container Issue Namespace Pod --------- ----- --------- --- webserver-simple Does not drop ALL capabilities argo-rollouts simple-deployment-74fd649f8d-996vt webserver-simple Does not drop ALL capabilities argo-workflows simple-deployment-74fd649f8d-24t56 webserver-simple Does not drop ALL capabilities cert-manager simple-deployment-74fd649f8d-7cht8 webserver-simple Does not drop ALL capabilities grafana simple-deployment-74fd649f8d-l7wrd node-driver-registrar Does not drop ALL capabilities kube-system aks-secrets-store-csi-driver-2l2wl secrets-store Does not drop ALL capabilities kube-system aks-secrets-store-csi-driver-2l2wl liveness-probe Does not drop ALL capabilities kube-system aks-secrets-store-csi-driver-2l2wl node-driver-registrar Does not drop ALL capabilities kube-system aks-secrets-store-csi-driver-6w2vp secrets-store Does not drop ALL capabilities kube-system aks-secrets-store-csi-driver-6w2vp liveness-probe Does not drop ALL capabilities kube-system aks-secrets-store-csi-driver-6w2vp node-driver-registrar Does not drop ALL capabilities kube-system aks-secrets-store-csi-driver-7879c secrets-store Does not drop ALL capabilities kube-system aks-secrets-store-csi-driver-7879c liveness-probe Does not drop ALL capabilities kube-system aks-secrets-store-csi-driver-7879c node-driver-registrar Does not drop ALL capabilities kube-system aks-secrets-store-csi-driver-m8m29 secrets-store Does not drop ALL capabilities kube-system aks-secrets-store-csi-driver-m8m29 liveness-probe Does not drop ALL capabilities kube-system aks-secrets-store-csi-driver-m8m29 node-driver-registrar Does not drop ALL capabilities kube-system aks-secrets-store-csi-driver-vnmcd secrets-store Does not drop ALL capabilities kube-system aks-secrets-store-csi-driver-vnmcd liveness-probe Does not drop ALL capabilities kube-system aks-secrets-store-csi-driver-vnmcd node-driver-registrar Does not drop ALL capabilities kube-system aks-secrets-store-csi-driver-zrfbz secrets-store Does not drop ALL capabilities kube-system aks-secrets-store-csi-driver-zrfbz liveness-probe Does not drop ALL capabilities kube-system aks-secrets-store-csi-driver-zrfbz extension-agent Does not drop ALL capabilities kube-system extension-agent-66c4486d68-46cqq fluent-bit Does not drop ALL capabilities kube-system extension-agent-66c4486d68-46cqq manager Does not drop ALL capabilities kube-system extension-operator-d95fd449b-ssrcx fluent-bit Does not drop ALL capabilities kube-system extension-operator-d95fd449b-ssrcx kube-proxy Does not drop ALL capabilities kube-system kube-proxy-26xkd kube-proxy Does not drop ALL capabilities kube-system kube-proxy-6mrql kube-proxy Does not drop ALL capabilities kube-system kube-proxy-9rbxf kube-proxy Does not drop ALL capabilities kube-system kube-proxy-njzgk kube-proxy Does not drop ALL capabilities kube-system kube-proxy-rvmxl kube-proxy Does not drop ALL capabilities kube-system kube-proxy-vp7xj webserver-simple Does not drop ALL capabilities kubeview simple-deployment-74fd649f8d-qxp2r webserver-simple Does not drop ALL capabilities linkerd simple-deployment-74fd649f8d-mkmst webserver-simple Does not drop ALL capabilities nginx simple-deployment-74fd649f8d-hlcdk order-service Does not drop ALL capabilities pets order-service-6c5bfb6946-b58xq product-service Does not drop ALL capabilities pets product-service-5dd87dfb8-ssfxc rabbitmq Does not drop ALL capabilities pets rabbitmq-0 store-front Does not drop ALL capabilities pets store-front-658994fd95-pk9qn webserver-simple Does not drop ALL capabilities prometheus simple-deployment-74fd649f8d-2x6w5 webserver-simple Does not drop ALL capabilities sealed-secrets simple-deployment-74fd649f8d-stktp webserver-simple Does not drop ALL capabilities test simple-deployment-74fd649f8d-lhlkx Category: Pod Security Severity: Medium Recommendation: Explicitly drop all Linux capabilities unless specific ones are needed. URL: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted SEC010 - HostPath Volume Usage Total Issues: 309 Issue Namespace Path Pod Volume ----- --------- ---- --- ------ hostPath volume used kube-system /var/lib/kubelet/pods aks-secrets-store-csi-driver-2l2wl mountpoint-dir hostPath volume used kube-system /var/lib/kubelet/plugins_registry/ aks-secrets-store-csi-driver-2l2wl registration-dir hostPath volume used kube-system /var/lib/kubelet/plugins/csi-secrets-store/ aks-secrets-store-csi-driver-2l2wl plugin-dir hostPath volume used kube-system /var/run/secrets-store-csi-providers aks-secrets-store-csi-driver-2l2wl providers-dir hostPath volume used kube-system /etc/kubernetes/secrets-store-csi-providers aks-secrets-store-csi-driver-2l2wl providers-dir-0 hostPath volume used kube-system /var/lib/kubelet/pods aks-secrets-store-csi-driver-6w2vp mountpoint-dir hostPath volume used kube-system /var/lib/kubelet/plugins_registry/ aks-secrets-store-csi-driver-6w2vp registration-dir hostPath volume used kube-system /var/lib/kubelet/plugins/csi-secrets-store/ aks-secrets-store-csi-driver-6w2vp plugin-dir hostPath volume used kube-system /var/run/secrets-store-csi-providers aks-secrets-store-csi-driver-6w2vp providers-dir hostPath volume used kube-system /etc/kubernetes/secrets-store-csi-providers aks-secrets-store-csi-driver-6w2vp providers-dir-0 hostPath volume used kube-system /var/lib/kubelet/pods aks-secrets-store-csi-driver-7879c mountpoint-dir hostPath volume used kube-system /var/lib/kubelet/plugins_registry/ aks-secrets-store-csi-driver-7879c registration-dir hostPath volume used kube-system /var/lib/kubelet/plugins/csi-secrets-store/ aks-secrets-store-csi-driver-7879c plugin-dir hostPath volume used kube-system /var/run/secrets-store-csi-providers aks-secrets-store-csi-driver-7879c providers-dir hostPath volume used kube-system /etc/kubernetes/secrets-store-csi-providers aks-secrets-store-csi-driver-7879c providers-dir-0 hostPath volume used kube-system /var/lib/kubelet/pods aks-secrets-store-csi-driver-m8m29 mountpoint-dir hostPath volume used kube-system /var/lib/kubelet/plugins_registry/ aks-secrets-store-csi-driver-m8m29 registration-dir hostPath volume used kube-system /var/lib/kubelet/plugins/csi-secrets-store/ aks-secrets-store-csi-driver-m8m29 plugin-dir hostPath volume used kube-system /var/run/secrets-store-csi-providers aks-secrets-store-csi-driver-m8m29 providers-dir hostPath volume used kube-system /etc/kubernetes/secrets-store-csi-providers aks-secrets-store-csi-driver-m8m29 providers-dir-0 hostPath volume used kube-system /var/lib/kubelet/pods aks-secrets-store-csi-driver-vnmcd mountpoint-dir hostPath volume used kube-system /var/lib/kubelet/plugins_registry/ aks-secrets-store-csi-driver-vnmcd registration-dir hostPath volume used kube-system /var/lib/kubelet/plugins/csi-secrets-store/ aks-secrets-store-csi-driver-vnmcd plugin-dir hostPath volume used kube-system /var/run/secrets-store-csi-providers aks-secrets-store-csi-driver-vnmcd providers-dir hostPath volume used kube-system /etc/kubernetes/secrets-store-csi-providers aks-secrets-store-csi-driver-vnmcd providers-dir-0 hostPath volume used kube-system /var/lib/kubelet/pods aks-secrets-store-csi-driver-zrfbz mountpoint-dir hostPath volume used kube-system /var/lib/kubelet/plugins_registry/ aks-secrets-store-csi-driver-zrfbz registration-dir hostPath volume used kube-system /var/lib/kubelet/plugins/csi-secrets-store/ aks-secrets-store-csi-driver-zrfbz plugin-dir hostPath volume used kube-system /var/run/secrets-store-csi-providers aks-secrets-store-csi-driver-zrfbz providers-dir hostPath volume used kube-system /etc/kubernetes/secrets-store-csi-providers aks-secrets-store-csi-driver-zrfbz providers-dir-0 hostPath volume used kube-system /var/run/secrets-store-csi-providers aks-secrets-store-provider-azure-68nhw provider-vol hostPath volume used kube-system /var/run/secrets-store-csi-providers aks-secrets-store-provider-azure-7bqmn provider-vol hostPath volume used kube-system /var/run/secrets-store-csi-providers aks-secrets-store-provider-azure-7r458 provider-vol hostPath volume used kube-system /var/run/secrets-store-csi-providers aks-secrets-store-provider-azure-k9tdc provider-vol hostPath volume used kube-system /var/run/secrets-store-csi-providers aks-secrets-store-provider-azure-n952g provider-vol hostPath volume used kube-system /var/run/secrets-store-csi-providers aks-secrets-store-provider-azure-njpqh provider-vol hostPath volume used kube-system / ama-logs-4v8mz host-root hostPath volume used kube-system /etc/hostname ama-logs-4v8mz container-hostname hostPath volume used kube-system /var/log ama-logs-4v8mz host-log hostPath volume used kube-system /var/run/mdsd-ci ama-logs-4v8mz mdsd-sock hostPath volume used kube-system /var/lib/docker/containers ama-logs-4v8mz containerlog-path hostPath volume used kube-system /mnt/docker ama-logs-4v8mz containerlog-path-2 hostPath volume used kube-system /mnt/containers ama-logs-4v8mz containerlog-path-3 hostPath volume used kube-system /etc/kubernetes ama-logs-4v8mz azure-json-path hostPath volume used kube-system / ama-logs-5vr2w host-root hostPath volume used kube-system /etc/hostname ama-logs-5vr2w container-hostname hostPath volume used kube-system /var/log ama-logs-5vr2w host-log hostPath volume used kube-system /var/run/mdsd-ci ama-logs-5vr2w mdsd-sock hostPath volume used kube-system /var/lib/docker/containers ama-logs-5vr2w containerlog-path hostPath volume used kube-system /mnt/docker ama-logs-5vr2w containerlog-path-2 hostPath volume used kube-system /mnt/containers ama-logs-5vr2w containerlog-path-3 hostPath volume used kube-system /etc/kubernetes ama-logs-5vr2w azure-json-path hostPath volume used kube-system / ama-logs-fmd7b host-root hostPath volume used kube-system /etc/hostname ama-logs-fmd7b container-hostname hostPath volume used kube-system /var/log ama-logs-fmd7b host-log hostPath volume used kube-system /var/run/mdsd-ci ama-logs-fmd7b mdsd-sock hostPath volume used kube-system /var/lib/docker/containers ama-logs-fmd7b containerlog-path hostPath volume used kube-system /mnt/docker ama-logs-fmd7b containerlog-path-2 hostPath volume used kube-system /mnt/containers ama-logs-fmd7b containerlog-path-3 hostPath volume used kube-system /etc/kubernetes ama-logs-fmd7b azure-json-path hostPath volume used kube-system / ama-logs-fpkw6 host-root hostPath volume used kube-system /etc/hostname ama-logs-fpkw6 container-hostname hostPath volume used kube-system /var/log ama-logs-fpkw6 host-log hostPath volume used kube-system /var/run/mdsd-ci ama-logs-fpkw6 mdsd-sock hostPath volume used kube-system /var/lib/docker/containers ama-logs-fpkw6 containerlog-path hostPath volume used kube-system /mnt/docker ama-logs-fpkw6 containerlog-path-2 hostPath volume used kube-system /mnt/containers ama-logs-fpkw6 containerlog-path-3 hostPath volume used kube-system /etc/kubernetes ama-logs-fpkw6 azure-json-path hostPath volume used kube-system / ama-logs-gqs28 host-root hostPath volume used kube-system /etc/hostname ama-logs-gqs28 container-hostname hostPath volume used kube-system /var/log ama-logs-gqs28 host-log hostPath volume used kube-system /var/run/mdsd-ci ama-logs-gqs28 mdsd-sock hostPath volume used kube-system /var/lib/docker/containers ama-logs-gqs28 containerlog-path hostPath volume used kube-system /mnt/docker ama-logs-gqs28 containerlog-path-2 hostPath volume used kube-system /mnt/containers ama-logs-gqs28 containerlog-path-3 hostPath volume used kube-system /etc/kubernetes ama-logs-gqs28 azure-json-path hostPath volume used kube-system / ama-logs-ndxrw host-root hostPath volume used kube-system /etc/hostname ama-logs-ndxrw container-hostname hostPath volume used kube-system /var/log ama-logs-ndxrw host-log hostPath volume used kube-system /var/run/mdsd-ci ama-logs-ndxrw mdsd-sock hostPath volume used kube-system /var/lib/docker/containers ama-logs-ndxrw containerlog-path hostPath volume used kube-system /mnt/docker ama-logs-ndxrw containerlog-path-2 hostPath volume used kube-system /mnt/containers ama-logs-ndxrw containerlog-path-3 hostPath volume used kube-system /etc/kubernetes ama-logs-ndxrw azure-json-path hostPath volume used kube-system /etc/hostname ama-logs-rs-64765bd4b9-ldxwl container-hostname hostPath volume used kube-system /var/log ama-logs-rs-64765bd4b9-ldxwl host-log hostPath volume used kube-system /etc/kubernetes ama-logs-rs-64765bd4b9-ldxwl azure-json-path hostPath volume used kube-system /var/log/containers ama-metrics-7f878d975f-hlggb host-log-containers hostPath volume used kube-system /var/log/pods ama-metrics-7f878d975f-hlggb host-log-pods hostPath volume used kube-system /etc/pki/ca-trust/anchors/ ama-metrics-7f878d975f-hlggb anchors-mariner hostPath volume used kube-system /usr/local/share/ca-certificates/ ama-metrics-7f878d975f-hlggb anchors-ubuntu hostPath volume used kube-system /var/log/containers ama-metrics-7f878d975f-q2mlg host-log-containers hostPath volume used kube-system /var/log/pods ama-metrics-7f878d975f-q2mlg host-log-pods hostPath volume used kube-system /etc/pki/ca-trust/anchors/ ama-metrics-7f878d975f-q2mlg anchors-mariner hostPath volume used kube-system /usr/local/share/ca-certificates/ ama-metrics-7f878d975f-q2mlg anchors-ubuntu hostPath volume used kube-system /var/log/containers ama-metrics-node-2ssrw host-log-containers hostPath volume used kube-system /var/log/pods ama-metrics-node-2ssrw host-log-pods hostPath volume used kube-system /etc/pki/ca-trust/anchors/ ama-metrics-node-2ssrw anchors-mariner hostPath volume used kube-system /usr/local/share/ca-certificates/ ama-metrics-node-2ssrw anchors-ubuntu hostPath volume used kube-system /var/log/containers ama-metrics-node-6kkz8 host-log-containers hostPath volume used kube-system /var/log/pods ama-metrics-node-6kkz8 host-log-pods hostPath volume used kube-system /etc/pki/ca-trust/anchors/ ama-metrics-node-6kkz8 anchors-mariner hostPath volume used kube-system /usr/local/share/ca-certificates/ ama-metrics-node-6kkz8 anchors-ubuntu hostPath volume used kube-system /var/log/containers ama-metrics-node-9h44h host-log-containers hostPath volume used kube-system /var/log/pods ama-metrics-node-9h44h host-log-pods hostPath volume used kube-system /etc/pki/ca-trust/anchors/ ama-metrics-node-9h44h anchors-mariner hostPath volume used kube-system /usr/local/share/ca-certificates/ ama-metrics-node-9h44h anchors-ubuntu hostPath volume used kube-system /var/log/containers ama-metrics-node-lhk42 host-log-containers hostPath volume used kube-system /var/log/pods ama-metrics-node-lhk42 host-log-pods hostPath volume used kube-system /etc/pki/ca-trust/anchors/ ama-metrics-node-lhk42 anchors-mariner hostPath volume used kube-system /usr/local/share/ca-certificates/ ama-metrics-node-lhk42 anchors-ubuntu hostPath volume used kube-system /var/log/containers ama-metrics-node-nm5bf host-log-containers hostPath volume used kube-system /var/log/pods ama-metrics-node-nm5bf host-log-pods hostPath volume used kube-system /etc/pki/ca-trust/anchors/ ama-metrics-node-nm5bf anchors-mariner hostPath volume used kube-system /usr/local/share/ca-certificates/ ama-metrics-node-nm5bf anchors-ubuntu hostPath volume used kube-system /var/log/containers ama-metrics-node-pqcz5 host-log-containers hostPath volume used kube-system /var/log/pods ama-metrics-node-pqcz5 host-log-pods hostPath volume used kube-system /etc/pki/ca-trust/anchors/ ama-metrics-node-pqcz5 anchors-mariner hostPath volume used kube-system /usr/local/share/ca-certificates/ ama-metrics-node-pqcz5 anchors-ubuntu hostPath volume used kube-system /run/xtables.lock azure-ip-masq-agent-4522j iptableslock hostPath volume used kube-system /run/xtables.lock azure-ip-masq-agent-4c7cr iptableslock hostPath volume used kube-system /run/xtables.lock azure-ip-masq-agent-78rnw iptableslock hostPath volume used kube-system /run/xtables.lock azure-ip-masq-agent-84ltn iptableslock hostPath volume used kube-system /run/xtables.lock azure-ip-masq-agent-t4c2w iptableslock hostPath volume used kube-system /run/xtables.lock azure-ip-masq-agent-vbdd8 iptableslock hostPath volume used kube-system /var/log azure-npm-jsbbh log hostPath volume used kube-system /run/xtables.lock azure-npm-jsbbh xtables-lock hostPath volume used kube-system /etc/protocols azure-npm-jsbbh protocols hostPath volume used kube-system /var/log azure-npm-lp6sf log hostPath volume used kube-system /run/xtables.lock azure-npm-lp6sf xtables-lock hostPath volume used kube-system /etc/protocols azure-npm-lp6sf protocols hostPath volume used kube-system /var/log azure-npm-nv6xx log hostPath volume used kube-system /run/xtables.lock azure-npm-nv6xx xtables-lock hostPath volume used kube-system /etc/protocols azure-npm-nv6xx protocols hostPath volume used kube-system /var/log azure-npm-p6fpw log hostPath volume used kube-system /run/xtables.lock azure-npm-p6fpw xtables-lock hostPath volume used kube-system /etc/protocols azure-npm-p6fpw protocols hostPath volume used kube-system /var/log azure-npm-vsrfp log hostPath volume used kube-system /run/xtables.lock azure-npm-vsrfp xtables-lock hostPath volume used kube-system /etc/protocols azure-npm-vsrfp protocols hostPath volume used kube-system /var/log azure-npm-z8mcz log hostPath volume used kube-system /run/xtables.lock azure-npm-z8mcz xtables-lock hostPath volume used kube-system /etc/protocols azure-npm-z8mcz protocols hostPath volume used kube-system /etc/kubernetes/azure.json azure-policy-698f7c86b4-nnff2 acs-credential hostPath volume used kube-system /etc/ssl/certs azure-policy-698f7c86b4-nnff2 ca-certs hostPath volume used kube-system /etc/pki/ca-trust/extracted azure-policy-698f7c86b4-nnff2 etc-pki-ca-certs hostPath volume used kube-system /var/log extension-agent-66c4486d68-46cqq varlog hostPath volume used kube-system /var/lib/docker/containers extension-agent-66c4486d68-46cqq varlibdockercontainers hostPath volume used kube-system /etc/kubernetes/azure.json extension-agent-66c4486d68-46cqq acs-credential hostPath volume used kube-system /var/log extension-operator-d95fd449b-ssrcx varlog hostPath volume used kube-system /var/lib/docker/containers extension-operator-d95fd449b-ssrcx varlibdockercontainers hostPath volume used kube-system /etc/kubernetes/azure.json extension-operator-d95fd449b-ssrcx acs-credential hostPath volume used kube-system /run/xtables.lock kube-proxy-26xkd iptableslock hostPath volume used kube-system /etc/sysctl.d kube-proxy-26xkd sysctls hostPath volume used kube-system /lib/modules kube-proxy-26xkd modules hostPath volume used kube-system /run/xtables.lock kube-proxy-6mrql iptableslock hostPath volume used kube-system /etc/sysctl.d kube-proxy-6mrql sysctls hostPath volume used kube-system /lib/modules kube-proxy-6mrql modules hostPath volume used kube-system /run/xtables.lock kube-proxy-9rbxf iptableslock hostPath volume used kube-system /etc/sysctl.d kube-proxy-9rbxf sysctls hostPath volume used kube-system /lib/modules kube-proxy-9rbxf modules hostPath volume used kube-system /run/xtables.lock kube-proxy-njzgk iptableslock hostPath volume used kube-system /etc/sysctl.d kube-proxy-njzgk sysctls hostPath volume used kube-system /lib/modules kube-proxy-njzgk modules hostPath volume used kube-system /run/xtables.lock kube-proxy-rvmxl iptableslock hostPath volume used kube-system /etc/sysctl.d kube-proxy-rvmxl sysctls hostPath volume used kube-system /lib/modules kube-proxy-rvmxl modules hostPath volume used kube-system /run/xtables.lock kube-proxy-vp7xj iptableslock hostPath volume used kube-system /etc/sysctl.d kube-proxy-vp7xj sysctls hostPath volume used kube-system /lib/modules kube-proxy-vp7xj modules hostPath volume used kube-system /var/log microsoft-defender-collector-ds-6xdfq host-log hostPath volume used kube-system /sys/kernel microsoft-defender-collector-ds-6xdfq debugfs hostPath volume used kube-system /lib/modules microsoft-defender-collector-ds-6xdfq modules hostPath volume used kube-system /usr/src microsoft-defender-collector-ds-6xdfq usr-src hostPath volume used kube-system /run/containerd/containerd.sock microsoft-defender-collector-ds-6xdfq containerd-file-sock hostPath volume used kube-system /proc microsoft-defender-collector-ds-6xdfq proc hostPath volume used kube-system /bin microsoft-defender-collector-ds-6xdfq bin hostPath volume used kube-system /etc microsoft-defender-collector-ds-6xdfq etc hostPath volume used kube-system /opt microsoft-defender-collector-ds-6xdfq opt hostPath volume used kube-system /usr microsoft-defender-collector-ds-6xdfq usr hostPath volume used kube-system /run microsoft-defender-collector-ds-6xdfq run hostPath volume used kube-system /sys/fs/bpf microsoft-defender-collector-ds-6xdfq bpffs hostPath volume used kube-system /var/log microsoft-defender-collector-ds-89l74 host-log hostPath volume used kube-system /sys/kernel microsoft-defender-collector-ds-89l74 debugfs hostPath volume used kube-system /lib/modules microsoft-defender-collector-ds-89l74 modules hostPath volume used kube-system /usr/src microsoft-defender-collector-ds-89l74 usr-src hostPath volume used kube-system /run/containerd/containerd.sock microsoft-defender-collector-ds-89l74 containerd-file-sock hostPath volume used kube-system /proc microsoft-defender-collector-ds-89l74 proc hostPath volume used kube-system /bin microsoft-defender-collector-ds-89l74 bin hostPath volume used kube-system /etc microsoft-defender-collector-ds-89l74 etc hostPath volume used kube-system /opt microsoft-defender-collector-ds-89l74 opt hostPath volume used kube-system /usr microsoft-defender-collector-ds-89l74 usr hostPath volume used kube-system /run microsoft-defender-collector-ds-89l74 run hostPath volume used kube-system /sys/fs/bpf microsoft-defender-collector-ds-89l74 bpffs hostPath volume used kube-system /var/log microsoft-defender-collector-ds-d7gwk host-log hostPath volume used kube-system /sys/kernel microsoft-defender-collector-ds-d7gwk debugfs hostPath volume used kube-system /lib/modules microsoft-defender-collector-ds-d7gwk modules hostPath volume used kube-system /usr/src microsoft-defender-collector-ds-d7gwk usr-src hostPath volume used kube-system /run/containerd/containerd.sock microsoft-defender-collector-ds-d7gwk containerd-file-sock hostPath volume used kube-system /proc microsoft-defender-collector-ds-d7gwk proc hostPath volume used kube-system /bin microsoft-defender-collector-ds-d7gwk bin hostPath volume used kube-system /etc microsoft-defender-collector-ds-d7gwk etc hostPath volume used kube-system /opt microsoft-defender-collector-ds-d7gwk opt hostPath volume used kube-system /usr microsoft-defender-collector-ds-d7gwk usr hostPath volume used kube-system /run microsoft-defender-collector-ds-d7gwk run hostPath volume used kube-system /sys/fs/bpf microsoft-defender-collector-ds-d7gwk bpffs hostPath volume used kube-system /var/log microsoft-defender-collector-ds-mdcs8 host-log hostPath volume used kube-system /sys/kernel microsoft-defender-collector-ds-mdcs8 debugfs hostPath volume used kube-system /lib/modules microsoft-defender-collector-ds-mdcs8 modules hostPath volume used kube-system /usr/src microsoft-defender-collector-ds-mdcs8 usr-src hostPath volume used kube-system /run/containerd/containerd.sock microsoft-defender-collector-ds-mdcs8 containerd-file-sock hostPath volume used kube-system /proc microsoft-defender-collector-ds-mdcs8 proc hostPath volume used kube-system /bin microsoft-defender-collector-ds-mdcs8 bin hostPath volume used kube-system /etc microsoft-defender-collector-ds-mdcs8 etc hostPath volume used kube-system /opt microsoft-defender-collector-ds-mdcs8 opt hostPath volume used kube-system /usr microsoft-defender-collector-ds-mdcs8 usr hostPath volume used kube-system /run microsoft-defender-collector-ds-mdcs8 run hostPath volume used kube-system /sys/fs/bpf microsoft-defender-collector-ds-mdcs8 bpffs hostPath volume used kube-system /var/log microsoft-defender-collector-ds-q6d6c host-log hostPath volume used kube-system /sys/kernel microsoft-defender-collector-ds-q6d6c debugfs hostPath volume used kube-system /lib/modules microsoft-defender-collector-ds-q6d6c modules hostPath volume used kube-system /usr/src microsoft-defender-collector-ds-q6d6c usr-src hostPath volume used kube-system /run/containerd/containerd.sock microsoft-defender-collector-ds-q6d6c containerd-file-sock hostPath volume used kube-system /proc microsoft-defender-collector-ds-q6d6c proc hostPath volume used kube-system /bin microsoft-defender-collector-ds-q6d6c bin hostPath volume used kube-system /etc microsoft-defender-collector-ds-q6d6c etc hostPath volume used kube-system /opt microsoft-defender-collector-ds-q6d6c opt hostPath volume used kube-system /usr microsoft-defender-collector-ds-q6d6c usr hostPath volume used kube-system /run microsoft-defender-collector-ds-q6d6c run hostPath volume used kube-system /sys/fs/bpf microsoft-defender-collector-ds-q6d6c bpffs hostPath volume used kube-system /var/log microsoft-defender-collector-ds-wb5dm host-log hostPath volume used kube-system /sys/kernel microsoft-defender-collector-ds-wb5dm debugfs hostPath volume used kube-system /lib/modules microsoft-defender-collector-ds-wb5dm modules hostPath volume used kube-system /usr/src microsoft-defender-collector-ds-wb5dm usr-src hostPath volume used kube-system /run/containerd/containerd.sock microsoft-defender-collector-ds-wb5dm containerd-file-sock hostPath volume used kube-system /proc microsoft-defender-collector-ds-wb5dm proc hostPath volume used kube-system /bin microsoft-defender-collector-ds-wb5dm bin hostPath volume used kube-system /etc microsoft-defender-collector-ds-wb5dm etc hostPath volume used kube-system /opt microsoft-defender-collector-ds-wb5dm opt hostPath volume used kube-system /usr microsoft-defender-collector-ds-wb5dm usr hostPath volume used kube-system /run microsoft-defender-collector-ds-wb5dm run hostPath volume used kube-system /sys/fs/bpf microsoft-defender-collector-ds-wb5dm bpffs hostPath volume used kube-system /var/log microsoft-defender-collector-misc-7df6776447-bcbph host-log hostPath volume used kube-system /var/microsoft/microsoft-defender-for-cloud microsoft-defender-publisher-ds-2ql5b cert-onboarding hostPath volume used kube-system / microsoft-defender-publisher-ds-2ql5b host-root hostPath volume used kube-system /var/run microsoft-defender-publisher-ds-2ql5b docker-sock hostPath volume used kube-system /etc/hostname microsoft-defender-publisher-ds-2ql5b container-hostname hostPath volume used kube-system /var/log microsoft-defender-publisher-ds-2ql5b host-log hostPath volume used kube-system /etc/kubernetes microsoft-defender-publisher-ds-2ql5b azure-json-path hostPath volume used kube-system /var/microsoft/microsoft-defender-for-cloud microsoft-defender-publisher-ds-2rsrw cert-onboarding hostPath volume used kube-system / microsoft-defender-publisher-ds-2rsrw host-root hostPath volume used kube-system /var/run microsoft-defender-publisher-ds-2rsrw docker-sock hostPath volume used kube-system /etc/hostname microsoft-defender-publisher-ds-2rsrw container-hostname hostPath volume used kube-system /var/log microsoft-defender-publisher-ds-2rsrw host-log hostPath volume used kube-system /etc/kubernetes microsoft-defender-publisher-ds-2rsrw azure-json-path hostPath volume used kube-system /var/microsoft/microsoft-defender-for-cloud microsoft-defender-publisher-ds-jj6dh cert-onboarding hostPath volume used kube-system / microsoft-defender-publisher-ds-jj6dh host-root hostPath volume used kube-system /var/run microsoft-defender-publisher-ds-jj6dh docker-sock hostPath volume used kube-system /etc/hostname microsoft-defender-publisher-ds-jj6dh container-hostname hostPath volume used kube-system /var/log microsoft-defender-publisher-ds-jj6dh host-log hostPath volume used kube-system /etc/kubernetes microsoft-defender-publisher-ds-jj6dh azure-json-path hostPath volume used kube-system /var/microsoft/microsoft-defender-for-cloud microsoft-defender-publisher-ds-l5crs cert-onboarding hostPath volume used kube-system / microsoft-defender-publisher-ds-l5crs host-root hostPath volume used kube-system /var/run microsoft-defender-publisher-ds-l5crs docker-sock hostPath volume used kube-system /etc/hostname microsoft-defender-publisher-ds-l5crs container-hostname hostPath volume used kube-system /var/log microsoft-defender-publisher-ds-l5crs host-log hostPath volume used kube-system /etc/kubernetes microsoft-defender-publisher-ds-l5crs azure-json-path hostPath volume used kube-system /var/microsoft/microsoft-defender-for-cloud microsoft-defender-publisher-ds-lfk8h cert-onboarding hostPath volume used kube-system / microsoft-defender-publisher-ds-lfk8h host-root hostPath volume used kube-system /var/run microsoft-defender-publisher-ds-lfk8h docker-sock hostPath volume used kube-system /etc/hostname microsoft-defender-publisher-ds-lfk8h container-hostname hostPath volume used kube-system /var/log microsoft-defender-publisher-ds-lfk8h host-log hostPath volume used kube-system /etc/kubernetes microsoft-defender-publisher-ds-lfk8h azure-json-path hostPath volume used kube-system /var/microsoft/microsoft-defender-for-cloud microsoft-defender-publisher-ds-vz2c6 cert-onboarding hostPath volume used kube-system / microsoft-defender-publisher-ds-vz2c6 host-root hostPath volume used kube-system /var/run microsoft-defender-publisher-ds-vz2c6 docker-sock hostPath volume used kube-system /etc/hostname microsoft-defender-publisher-ds-vz2c6 container-hostname hostPath volume used kube-system /var/log microsoft-defender-publisher-ds-vz2c6 host-log hostPath volume used kube-system /etc/kubernetes microsoft-defender-publisher-ds-vz2c6 azure-json-path hostPath volume used kube-system /sys/kernel/debug retina-agent-cgv48 debug hostPath volume used kube-system /sys/kernel/tracing retina-agent-cgv48 trace hostPath volume used kube-system /sys/fs/bpf retina-agent-cgv48 bpf hostPath volume used kube-system /sys/fs/cgroup retina-agent-cgv48 cgroup hostPath volume used kube-system /var/run/cilium retina-agent-cgv48 cilium hostPath volume used kube-system /sys/kernel/debug retina-agent-gjxk8 debug hostPath volume used kube-system /sys/kernel/tracing retina-agent-gjxk8 trace hostPath volume used kube-system /sys/fs/bpf retina-agent-gjxk8 bpf hostPath volume used kube-system /sys/fs/cgroup retina-agent-gjxk8 cgroup hostPath volume used kube-system /var/run/cilium retina-agent-gjxk8 cilium hostPath volume used kube-system /sys/kernel/debug retina-agent-js76w debug hostPath volume used kube-system /sys/kernel/tracing retina-agent-js76w trace hostPath volume used kube-system /sys/fs/bpf retina-agent-js76w bpf hostPath volume used kube-system /sys/fs/cgroup retina-agent-js76w cgroup hostPath volume used kube-system /var/run/cilium retina-agent-js76w cilium hostPath volume used kube-system /sys/kernel/debug retina-agent-lfn7d debug hostPath volume used kube-system /sys/kernel/tracing retina-agent-lfn7d trace hostPath volume used kube-system /sys/fs/bpf retina-agent-lfn7d bpf hostPath volume used kube-system /sys/fs/cgroup retina-agent-lfn7d cgroup hostPath volume used kube-system /var/run/cilium retina-agent-lfn7d cilium hostPath volume used kube-system /sys/kernel/debug retina-agent-qc9bs debug hostPath volume used kube-system /sys/kernel/tracing retina-agent-qc9bs trace hostPath volume used kube-system /sys/fs/bpf retina-agent-qc9bs bpf hostPath volume used kube-system /sys/fs/cgroup retina-agent-qc9bs cgroup hostPath volume used kube-system /var/run/cilium retina-agent-qc9bs cilium hostPath volume used kube-system /sys/kernel/debug retina-agent-wlt7b debug hostPath volume used kube-system /sys/kernel/tracing retina-agent-wlt7b trace hostPath volume used kube-system /sys/fs/bpf retina-agent-wlt7b bpf hostPath volume used kube-system /sys/fs/cgroup retina-agent-wlt7b cgroup hostPath volume used kube-system /var/run/cilium retina-agent-wlt7b cilium Category: Pod Security Severity: High Recommendation: Avoid using hostPath unless absolutely necessary. Use persistent volumes instead. URL: https://kubernetes.io/docs/concepts/storage/volumes/#hostpath SEC011 - Containers Running as UID 0 Total Issues: 13 Container Issue Namespace Pod --------- ----- --------- --- provider-azure-installer Container runs as UID 0 kube-system aks-secrets-store-provider-azure-68nhw provider-azure-installer Container runs as UID 0 kube-system aks-secrets-store-provider-azure-7bqmn provider-azure-installer Container runs as UID 0 kube-system aks-secrets-store-provider-azure-7r458 provider-azure-installer Container runs as UID 0 kube-system aks-secrets-store-provider-azure-k9tdc provider-azure-installer Container runs as UID 0 kube-system aks-secrets-store-provider-azure-n952g provider-azure-installer Container runs as UID 0 kube-system aks-secrets-store-provider-azure-njpqh azure-policy Container runs as UID 0 kube-system azure-policy-698f7c86b4-nnff2 retina Container runs as UID 0 kube-system retina-agent-cgv48 retina Container runs as UID 0 kube-system retina-agent-gjxk8 retina Container runs as UID 0 kube-system retina-agent-js76w retina Container runs as UID 0 kube-system retina-agent-lfn7d retina Container runs as UID 0 kube-system retina-agent-qc9bs retina Container runs as UID 0 kube-system retina-agent-wlt7b Category: Pod Security Severity: High Recommendation: Avoid setting runAsUser to 0. Use non-root UIDs for better isolation. URL: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ SEC012 - Added Linux Capabilities Total Issues: 70 Capabilities Container Issue Namespace ------------ --------- ----- --------- NET_BIND_SERVICE controller Added Linux capabilities app-routing-s… NET_BIND_SERVICE controller Added Linux capabilities app-routing-s… DAC_OVERRIDE ama-logs Added Linux capabilities kube-system DAC_OVERRIDE ama-logs-prometheus Added Linux capabilities kube-system DAC_OVERRIDE ama-logs Added Linux capabilities kube-system DAC_OVERRIDE ama-logs-prometheus Added Linux capabilities kube-system DAC_OVERRIDE ama-logs Added Linux capabilities kube-system DAC_OVERRIDE ama-logs-prometheus Added Linux capabilities kube-system DAC_OVERRIDE ama-logs Added Linux capabilities kube-system DAC_OVERRIDE ama-logs-prometheus Added Linux capabilities kube-system DAC_OVERRIDE ama-logs Added Linux capabilities kube-system DAC_OVERRIDE ama-logs-prometheus Added Linux capabilities kube-system DAC_OVERRIDE ama-logs Added Linux capabilities kube-system DAC_OVERRIDE ama-logs-prometheus Added Linux capabilities kube-system DAC_OVERRIDE ama-logs Added Linux capabilities kube-system DAC_OVERRIDE prometheus-collector Added Linux capabilities kube-system NET_ADMIN, NET_RAW addon-token-adapter Added Linux capabilities kube-system DAC_OVERRIDE prometheus-collector Added Linux capabilities kube-system NET_ADMIN, NET_RAW addon-token-adapter Added Linux capabilities kube-system DAC_OVERRIDE prometheus-collector Added Linux capabilities kube-system NET_ADMIN, NET_RAW addon-token-adapter Added Linux capabilities kube-system DAC_OVERRIDE prometheus-collector Added Linux capabilities kube-system NET_ADMIN, NET_RAW addon-token-adapter Added Linux capabilities kube-system DAC_OVERRIDE prometheus-collector Added Linux capabilities kube-system NET_ADMIN, NET_RAW addon-token-adapter Added Linux capabilities kube-system DAC_OVERRIDE prometheus-collector Added Linux capabilities kube-system NET_ADMIN, NET_RAW addon-token-adapter Added Linux capabilities kube-system DAC_OVERRIDE prometheus-collector Added Linux capabilities kube-system NET_ADMIN, NET_RAW addon-token-adapter Added Linux capabilities kube-system DAC_OVERRIDE prometheus-collector Added Linux capabilities kube-system NET_ADMIN, NET_RAW addon-token-adapter Added Linux capabilities kube-system NET_ADMIN, NET_RAW azure-ip-masq-agent Added Linux capabilities kube-system NET_ADMIN, NET_RAW azure-ip-masq-agent Added Linux capabilities kube-system NET_ADMIN, NET_RAW azure-ip-masq-agent Added Linux capabilities kube-system NET_ADMIN, NET_RAW azure-ip-masq-agent Added Linux capabilities kube-system NET_ADMIN, NET_RAW azure-ip-masq-agent Added Linux capabilities kube-system NET_ADMIN, NET_RAW azure-ip-masq-agent Added Linux capabilities kube-system NET_ADMIN, NET_RAW azure-npm Added Linux capabilities kube-system NET_ADMIN, NET_RAW azure-npm Added Linux capabilities kube-system NET_ADMIN, NET_RAW azure-npm Added Linux capabilities kube-system NET_ADMIN, NET_RAW azure-npm Added Linux capabilities kube-system NET_ADMIN, NET_RAW azure-npm Added Linux capabilities kube-system NET_ADMIN, NET_RAW azure-npm Added Linux capabilities kube-system NET_BIND_SERVICE coredns Added Linux capabilities kube-system NET_BIND_SERVICE coredns Added Linux capabilities kube-system NET_RAW, NET_ADMIN microsoft-defender-pod-collector Added Linux capabilities kube-system SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW microsoft-defender-low-level-collector Added Linux capabilities kube-system NET_RAW, NET_ADMIN microsoft-defender-pod-collector Added Linux capabilities kube-system SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW microsoft-defender-low-level-collector Added Linux capabilities kube-system NET_RAW, NET_ADMIN microsoft-defender-pod-collector Added Linux capabilities kube-system SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW microsoft-defender-low-level-collector Added Linux capabilities kube-system NET_RAW, NET_ADMIN microsoft-defender-pod-collector Added Linux capabilities kube-system SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW microsoft-defender-low-level-collector Added Linux capabilities kube-system NET_RAW, NET_ADMIN microsoft-defender-pod-collector Added Linux capabilities kube-system SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW microsoft-defender-low-level-collector Added Linux capabilities kube-system NET_RAW, NET_ADMIN microsoft-defender-pod-collector Added Linux capabilities kube-system SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW microsoft-defender-low-level-collector Added Linux capabilities kube-system NET_RAW, NET_ADMIN microsoft-defender-pod-collector Added Linux capabilities kube-system NET_RAW, NET_ADMIN microsoft-defender-publisher Added Linux capabilities kube-system NET_RAW, NET_ADMIN microsoft-defender-publisher Added Linux capabilities kube-system NET_RAW, NET_ADMIN microsoft-defender-publisher Added Linux capabilities kube-system NET_RAW, NET_ADMIN microsoft-defender-publisher Added Linux capabilities kube-system NET_RAW, NET_ADMIN microsoft-defender-publisher Added Linux capabilities kube-system NET_RAW, NET_ADMIN microsoft-defender-publisher Added Linux capabilities kube-system SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK retina Added Linux capabilities kube-system SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK retina Added Linux capabilities kube-system SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK retina Added Linux capabilities kube-system SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK retina Added Linux capabilities kube-system SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK retina Added Linux capabilities kube-system SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK retina Added Linux capabilities kube-system Category: Pod Security Severity: Medium Recommendation: Avoid adding capabilities unless necessary. Most apps don’t need them. URL: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted SEC013 - EmptyDir Volume Usage Total Issues: 98 Issue Namespace Pod Volume ----- --------- --- ------ EmptyDir volume used aks-istio-ingress aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4 workload-socket EmptyDir volume used aks-istio-ingress aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4 credential-socket EmptyDir volume used aks-istio-ingress aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4 workload-certs EmptyDir volume used aks-istio-ingress aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4 istio-envoy EmptyDir volume used aks-istio-ingress aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4 istio-data EmptyDir volume used aks-istio-ingress aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb workload-socket EmptyDir volume used aks-istio-ingress aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb credential-socket EmptyDir volume used aks-istio-ingress aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb workload-certs EmptyDir volume used aks-istio-ingress aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb istio-envoy EmptyDir volume used aks-istio-ingress aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb istio-data EmptyDir volume used aks-istio-system istiod-asm-1-23-7744d5fbf4-9572m local-certs EmptyDir volume used aks-istio-system istiod-asm-1-23-7744d5fbf4-rqzvt local-certs EmptyDir volume used argocd argocd-application-controller-0 argocd-home EmptyDir volume used argocd argocd-application-controller-0 argocd-application-controller-tmp EmptyDir volume used argocd argocd-applicationset-controller-6fdf84dbb6-msffz gpg-keyring EmptyDir volume used argocd argocd-applicationset-controller-6fdf84dbb6-msffz tmp EmptyDir volume used argocd argocd-dex-server-556c76889-h4kxj static-files EmptyDir volume used argocd argocd-dex-server-556c76889-h4kxj dexconfig EmptyDir volume used argocd argocd-redis-ha-haproxy-fb657456c-kjbkq shared-socket EmptyDir volume used argocd argocd-redis-ha-haproxy-fb657456c-kjbkq data EmptyDir volume used argocd argocd-redis-ha-haproxy-fb657456c-kjlpf shared-socket EmptyDir volume used argocd argocd-redis-ha-haproxy-fb657456c-kjlpf data EmptyDir volume used argocd argocd-redis-ha-haproxy-fb657456c-tnjmb shared-socket EmptyDir volume used argocd argocd-redis-ha-haproxy-fb657456c-tnjmb data EmptyDir volume used argocd argocd-redis-ha-server-0 data EmptyDir volume used argocd argocd-redis-ha-server-1 data EmptyDir volume used argocd argocd-redis-ha-server-2 data EmptyDir volume used argocd argocd-repo-server-8568fc89b5-sx6ks gpg-keyring EmptyDir volume used argocd argocd-repo-server-8568fc89b5-sx6ks tmp EmptyDir volume used argocd argocd-repo-server-8568fc89b5-sx6ks helm-working-dir EmptyDir volume used argocd argocd-repo-server-8568fc89b5-sx6ks var-files EmptyDir volume used argocd argocd-repo-server-8568fc89b5-sx6ks plugins EmptyDir volume used argocd argocd-repo-server-8568fc89b5-xrzzn gpg-keyring EmptyDir volume used argocd argocd-repo-server-8568fc89b5-xrzzn tmp EmptyDir volume used argocd argocd-repo-server-8568fc89b5-xrzzn helm-working-dir EmptyDir volume used argocd argocd-repo-server-8568fc89b5-xrzzn var-files EmptyDir volume used argocd argocd-repo-server-8568fc89b5-xrzzn plugins EmptyDir volume used argocd argocd-server-54f9645b87-k4rz8 plugins-home EmptyDir volume used argocd argocd-server-54f9645b87-k4rz8 tmp EmptyDir volume used argocd argocd-server-54f9645b87-wwzgz plugins-home EmptyDir volume used argocd argocd-server-54f9645b87-wwzgz tmp EmptyDir volume used gatekeeper-system gatekeeper-audit-77858c8f69-7k782 tmp-volume EmptyDir volume used kiali-operator kiali-operator-696bd54db-mr8md tmp EmptyDir volume used kube-system ama-logs-4v8mz mdsd-prometheus-sock EmptyDir volume used kube-system ama-logs-5vr2w mdsd-prometheus-sock EmptyDir volume used kube-system ama-logs-fmd7b mdsd-prometheus-sock EmptyDir volume used kube-system ama-logs-fpkw6 mdsd-prometheus-sock EmptyDir volume used kube-system ama-logs-gqs28 mdsd-prometheus-sock EmptyDir volume used kube-system ama-logs-ndxrw mdsd-prometheus-sock EmptyDir volume used kube-system ama-metrics-operator-targets-66fb46c8d6-vskdg ta-config-shared EmptyDir volume used kube-system azure-npm-jsbbh tmp EmptyDir volume used kube-system azure-npm-lp6sf tmp EmptyDir volume used kube-system azure-npm-nv6xx tmp EmptyDir volume used kube-system azure-npm-p6fpw tmp EmptyDir volume used kube-system azure-npm-vsrfp tmp EmptyDir volume used kube-system azure-npm-z8mcz tmp EmptyDir volume used kube-system coredns-658d6d767d-757xp tmp EmptyDir volume used kube-system coredns-658d6d767d-pt6l6 tmp EmptyDir volume used kube-system metrics-server-5f9ccffcc4-jsrjl tmp-dir EmptyDir volume used kube-system metrics-server-5f9ccffcc4-v88pw tmp-dir EmptyDir volume used kube-system microsoft-defender-collector-ds-6xdfq ebpf EmptyDir volume used kube-system microsoft-defender-collector-ds-89l74 ebpf EmptyDir volume used kube-system microsoft-defender-collector-ds-d7gwk ebpf EmptyDir volume used kube-system microsoft-defender-collector-ds-mdcs8 ebpf EmptyDir volume used kube-system microsoft-defender-collector-ds-q6d6c ebpf EmptyDir volume used kube-system microsoft-defender-collector-ds-wb5dm ebpf EmptyDir volume used kube-system microsoft-defender-publisher-ds-2ql5b fluent-bit-conf EmptyDir volume used kube-system microsoft-defender-publisher-ds-2rsrw fluent-bit-conf EmptyDir volume used kube-system microsoft-defender-publisher-ds-jj6dh fluent-bit-conf EmptyDir volume used kube-system microsoft-defender-publisher-ds-l5crs fluent-bit-conf EmptyDir volume used kube-system microsoft-defender-publisher-ds-lfk8h fluent-bit-conf EmptyDir volume used kube-system microsoft-defender-publisher-ds-vz2c6 fluent-bit-conf EmptyDir volume used kube-system retina-agent-cgv48 tmp EmptyDir volume used kube-system retina-agent-gjxk8 tmp EmptyDir volume used kube-system retina-agent-js76w tmp EmptyDir volume used kube-system retina-agent-lfn7d tmp EmptyDir volume used kube-system retina-agent-qc9bs tmp EmptyDir volume used kube-system retina-agent-wlt7b tmp EmptyDir volume used pets order-service-6c5bfb6946-b58xq workload-socket EmptyDir volume used pets order-service-6c5bfb6946-b58xq credential-socket EmptyDir volume used pets order-service-6c5bfb6946-b58xq workload-certs EmptyDir volume used pets order-service-6c5bfb6946-b58xq istio-envoy EmptyDir volume used pets order-service-6c5bfb6946-b58xq istio-data EmptyDir volume used pets product-service-5dd87dfb8-ssfxc workload-socket EmptyDir volume used pets product-service-5dd87dfb8-ssfxc credential-socket EmptyDir volume used pets product-service-5dd87dfb8-ssfxc workload-certs EmptyDir volume used pets product-service-5dd87dfb8-ssfxc istio-envoy EmptyDir volume used pets product-service-5dd87dfb8-ssfxc istio-data EmptyDir volume used pets rabbitmq-0 workload-socket EmptyDir volume used pets rabbitmq-0 credential-socket EmptyDir volume used pets rabbitmq-0 workload-certs EmptyDir volume used pets rabbitmq-0 istio-envoy EmptyDir volume used pets rabbitmq-0 istio-data EmptyDir volume used pets store-front-658994fd95-pk9qn workload-socket EmptyDir volume used pets store-front-658994fd95-pk9qn credential-socket EmptyDir volume used pets store-front-658994fd95-pk9qn workload-certs EmptyDir volume used pets store-front-658994fd95-pk9qn istio-envoy EmptyDir volume used pets store-front-658994fd95-pk9qn istio-data Category: Pod Security Severity: Low Recommendation: Use persistent volumes or configMaps instead of EmptyDir when persistence is required. URL: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir SEC014 - Untrusted Image Registries Total Issues: 180 Container Image --------- ----- istio-proxy mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless istio-proxy mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless discovery mcr.microsoft.com/oss/istio/pilot:1.23.5-distroless discovery mcr.microsoft.com/oss/istio/pilot:1.23.5-distroless controller mcr.microsoft.com/oss/kubernetes/ingress/nginx-ingress-controller:v1.11.5 controller mcr.microsoft.com/oss/kubernetes/ingress/nginx-ingress-controller:v1.11.5 webserver-simple docker.io/kostiscodefresh/gitops-simple-app:v1.0 webserver-simple docker.io/kostiscodefresh/gitops-simple-app:v1.0 argocd-application-controller mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 argocd-applicationset-controller mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 dex mcr.microsoft.com/oss/v2/dexidp/dex:v2.41.1 argocd-notifications-controller mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 haproxy mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11 haproxy mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11 haproxy mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11 redis mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 sentinel mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 split-brain-fix mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 redis mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 sentinel mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 split-brain-fix mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 redis mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 sentinel mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 split-brain-fix mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 argocd-repo-server mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 argocd-repo-server mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 argocd-server mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 argocd-server mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 webserver-simple docker.io/kostiscodefresh/gitops-simple-app:v1.0 gatekeeper-audit-container mcr.microsoft.com/oss/v2/open-policy-agent/gatekeeper:v3.18.2-1 gatekeeper-controller-container mcr.microsoft.com/oss/v2/open-policy-agent/gatekeeper:v3.18.2-1 gatekeeper-controller-container mcr.microsoft.com/oss/v2/open-policy-agent/gatekeeper:v3.18.2-1 webserver-simple docker.io/kostiscodefresh/gitops-simple-app:v1.0 kiali quay.io/kiali/kiali:v2.7.1 operator quay.io/kiali/kiali-operator:v2.7.1 node-driver-registrar mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1 secrets-store mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver:v1.4.8 liveness-probe mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.13.1 node-driver-registrar mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1 secrets-store mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver:v1.4.8 liveness-probe mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.13.1 node-driver-registrar mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1 secrets-store mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver:v1.4.8 liveness-probe mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.13.1 node-driver-registrar mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1 secrets-store mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver:v1.4.8 liveness-probe mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.13.1 node-driver-registrar mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1 secrets-store mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver:v1.4.8 liveness-probe mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.13.1 node-driver-registrar mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1 secrets-store mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver:v1.4.8 liveness-probe mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.13.1 provider-azure-installer mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.6.2 provider-azure-installer mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.6.2 provider-azure-installer mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.6.2 provider-azure-installer mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.6.2 provider-azure-installer mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.6.2 provider-azure-installer mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.6.2 ama-logs mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 ama-logs-prometheus mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 ama-logs mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 ama-logs-prometheus mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 ama-logs mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 ama-logs-prometheus mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 ama-logs mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 ama-logs-prometheus mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 ama-logs mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 ama-logs-prometheus mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 ama-logs mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 ama-logs-prometheus mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 ama-logs mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 prometheus-collector mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2… addon-token-adapter mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1 prometheus-collector mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2… addon-token-adapter mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1 ama-metrics-ksm mcr.microsoft.com/oss/kubernetes/kube-state-metrics:v2.12.0 prometheus-collector mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2… addon-token-adapter mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1 prometheus-collector mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2… addon-token-adapter mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1 prometheus-collector mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2… addon-token-adapter mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1 prometheus-collector mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2… addon-token-adapter mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1 prometheus-collector mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2… addon-token-adapter mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1 prometheus-collector mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2… addon-token-adapter mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1 targetallocator mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2… config-reader mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2… azure-ip-masq-agent mcr.microsoft.com/oss/v2/azure/ip-masq-agent-v2:v0.1.15-2 azure-ip-masq-agent mcr.microsoft.com/oss/v2/azure/ip-masq-agent-v2:v0.1.15-2 azure-ip-masq-agent mcr.microsoft.com/oss/v2/azure/ip-masq-agent-v2:v0.1.15-2 azure-ip-masq-agent mcr.microsoft.com/oss/v2/azure/ip-masq-agent-v2:v0.1.15-2 azure-ip-masq-agent mcr.microsoft.com/oss/v2/azure/ip-masq-agent-v2:v0.1.15-2 azure-ip-masq-agent mcr.microsoft.com/oss/v2/azure/ip-masq-agent-v2:v0.1.15-2 azure-npm mcr.microsoft.com/containernetworking/azure-npm:v1.5.45 azure-npm mcr.microsoft.com/containernetworking/azure-npm:v1.5.45 azure-npm mcr.microsoft.com/containernetworking/azure-npm:v1.5.45 azure-npm mcr.microsoft.com/containernetworking/azure-npm:v1.5.45 azure-npm mcr.microsoft.com/containernetworking/azure-npm:v1.5.45 azure-npm mcr.microsoft.com/containernetworking/azure-npm:v1.5.45 azure-policy mcr.microsoft.com/azure-policy/policy-kubernetes-addon-prod:1.10.1 azure-policy-webhook mcr.microsoft.com/azure-policy/policy-kubernetes-webhook:1.10.0 manager mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.4.0 manager mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.4.0 cloud-node-manager mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.10 cloud-node-manager mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.10 cloud-node-manager mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.10 cloud-node-manager mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.10 cloud-node-manager mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.10 cloud-node-manager mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.10 coredns mcr.microsoft.com/oss/v2/kubernetes/coredns:v1.9.4-5 coredns mcr.microsoft.com/oss/v2/kubernetes/coredns:v1.9.4-5 autoscaler mcr.microsoft.com/oss/v2/kubernetes/autoscaler/cluster-proportional-autoscaler:v1.8.11-5 manager mcr.microsoft.com/oss/v2/eraser/eraser-manager:v1.4.0-2 extension-agent mcr.microsoft.com/azurearck8s/aks/stable/config-agent:1.23.3 fluent-bit mcr.microsoft.com/azurearck8s/aks/stable/fluent-bit-collector:1.23.3 manager mcr.microsoft.com/azurearck8s/aks/stable/extensionoperator:1.23.3 fluent-bit mcr.microsoft.com/azurearck8s/aks/stable/fluent-bit-collector:1.23.3 keda-admission-webhooks mcr.microsoft.com/oss/kedacore/keda-admission-webhooks:2.14.1 keda-admission-webhooks mcr.microsoft.com/oss/kedacore/keda-admission-webhooks:2.14.1 keda-operator mcr.microsoft.com/oss/kedacore/keda:2.14.1 keda-operator mcr.microsoft.com/oss/kedacore/keda:2.14.1 keda-operator-metrics-apiserver mcr.microsoft.com/oss/kedacore/keda-metrics-apiserver:2.14.1 keda-operator-metrics-apiserver mcr.microsoft.com/oss/kedacore/keda-metrics-apiserver:2.14.1 konnectivity-agent mcr.microsoft.com/oss/kubernetes/apiserver-network-proxy/agent:v0.30.3-hotfix.20240819 konnectivity-agent mcr.microsoft.com/oss/kubernetes/apiserver-network-proxy/agent:v0.30.3-hotfix.20240819 autoscaler mcr.microsoft.com/oss/v2/kubernetes/autoscaler/cluster-proportional-autoscaler:v1.8.11-5 kube-proxy mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.30.11 kube-proxy mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.30.11 kube-proxy mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.30.11 kube-proxy mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.30.11 kube-proxy mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.30.11 kube-proxy mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.30.11 metrics-server-vpa mcr.microsoft.com/oss/v2/kubernetes/autoscaler/addon-resizer:v1.8.23-2 metrics-server mcr.microsoft.com/oss/v2/kubernetes/metrics-server:v0.6.3-5 metrics-server-vpa mcr.microsoft.com/oss/v2/kubernetes/autoscaler/addon-resizer:v1.8.23-2 metrics-server mcr.microsoft.com/oss/v2/kubernetes/metrics-server:v0.6.3-5 microsoft-defender-pod-collector mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164 microsoft-defender-low-level-collector mcr.microsoft.com/azuredefender/stable/low-level-collector:2.0.198 microsoft-defender-pod-collector mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164 microsoft-defender-low-level-collector mcr.microsoft.com/azuredefender/stable/low-level-collector:2.0.198 microsoft-defender-pod-collector mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164 microsoft-defender-low-level-collector mcr.microsoft.com/azuredefender/stable/low-level-collector:2.0.198 microsoft-defender-pod-collector mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164 microsoft-defender-low-level-collector mcr.microsoft.com/azuredefender/stable/low-level-collector:2.0.198 microsoft-defender-pod-collector mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164 microsoft-defender-low-level-collector mcr.microsoft.com/azuredefender/stable/low-level-collector:2.0.198 microsoft-defender-pod-collector mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164 microsoft-defender-low-level-collector mcr.microsoft.com/azuredefender/stable/low-level-collector:2.0.198 microsoft-defender-pod-collector mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164 microsoft-defender-publisher mcr.microsoft.com/azuredefender/stable/security-publisher:1.0.204 microsoft-defender-publisher mcr.microsoft.com/azuredefender/stable/security-publisher:1.0.204 microsoft-defender-publisher mcr.microsoft.com/azuredefender/stable/security-publisher:1.0.204 microsoft-defender-publisher mcr.microsoft.com/azuredefender/stable/security-publisher:1.0.204 microsoft-defender-publisher mcr.microsoft.com/azuredefender/stable/security-publisher:1.0.204 microsoft-defender-publisher mcr.microsoft.com/azuredefender/stable/security-publisher:1.0.204 retina mcr.microsoft.com/containernetworking/retina-agent:v0.0.30 retina mcr.microsoft.com/containernetworking/retina-agent:v0.0.30 retina mcr.microsoft.com/containernetworking/retina-agent:v0.0.30 retina mcr.microsoft.com/containernetworking/retina-agent:v0.0.30 retina mcr.microsoft.com/containernetworking/retina-agent:v0.0.30 retina mcr.microsoft.com/containernetworking/retina-agent:v0.0.30 admission-controller mcr.microsoft.com/oss/kubernetes/autoscaler/vpa-admission-controller:1.0.0 admission-controller mcr.microsoft.com/oss/kubernetes/autoscaler/vpa-admission-controller:1.0.0 recommender mcr.microsoft.com/oss/kubernetes/autoscaler/vpa-recommender:1.0.0 updater mcr.microsoft.com/oss/kubernetes/autoscaler/vpa-updater:1.0.0 webserver-simple docker.io/kostiscodefresh/gitops-simple-app:v1.0 webserver-simple docker.io/kostiscodefresh/gitops-simple-app:v1.0 webserver-simple docker.io/kostiscodefresh/gitops-simple-app:v1.0 istio-proxy mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless istio-proxy mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless rabbitmq mcr.microsoft.com/mirror/docker/library/rabbitmq:3.10-management-alpine istio-proxy mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless istio-proxy mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless webserver-simple docker.io/kostiscodefresh/gitops-simple-app:v1.0 webserver-simple docker.io/kostiscodefresh/gitops-simple-app:v1.0 webserver-simple docker.io/kostiscodefresh/gitops-simple-app:v1.0 Category: Pod Security Severity: High Recommendation: Use only trusted registries. Restrict deployment sources via policy. URL: https://kubernetes.io/docs/concepts/containers/images/ SEC015 - Pods Using Default ServiceAccount Total Issues: 20 Issue Namespace Pod ServiceAccount ----- --------- --- -------------- Using default ServiceAccount argo-rollouts simple-deployment-74fd649f8d-996vt default Using default ServiceAccount argo-workflows simple-deployment-74fd649f8d-24t56 default Using default ServiceAccount cert-manager simple-deployment-74fd649f8d-7cht8 default Using default ServiceAccount grafana simple-deployment-74fd649f8d-l7wrd default Using default ServiceAccount kube-system azure-ip-masq-agent-4522j default Using default ServiceAccount kube-system azure-ip-masq-agent-4c7cr default Using default ServiceAccount kube-system azure-ip-masq-agent-78rnw default Using default ServiceAccount kube-system azure-ip-masq-agent-84ltn default Using default ServiceAccount kube-system azure-ip-masq-agent-t4c2w default Using default ServiceAccount kube-system azure-ip-masq-agent-vbdd8 default Using default ServiceAccount kubeview simple-deployment-74fd649f8d-qxp2r default Using default ServiceAccount linkerd simple-deployment-74fd649f8d-mkmst default Using default ServiceAccount nginx simple-deployment-74fd649f8d-hlcdk default Using default ServiceAccount pets order-service-6c5bfb6946-b58xq default Using default ServiceAccount pets product-service-5dd87dfb8-ssfxc default Using default ServiceAccount pets rabbitmq-0 default Using default ServiceAccount pets store-front-658994fd95-pk9qn default Using default ServiceAccount prometheus simple-deployment-74fd649f8d-2x6w5 default Using default ServiceAccount sealed-secrets simple-deployment-74fd649f8d-stktp default Using default ServiceAccount test simple-deployment-74fd649f8d-lhlkx default Category: Pod Security Severity: Medium Recommendation: Assign a dedicated ServiceAccount to each workload with least-privilege permissions. URL: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ SEC016 - Non-Existent Secret References Total Issues: 33 Issue Namespace Pod Secret Volume ----- --------- --- ------ ------ Missing secret reference in volume aks-istio-system istiod-asm-1-23-7744d5fbf4-9572m cacerts cacerts Missing secret reference in volume aks-istio-system istiod-asm-1-23-7744d5fbf4-9572m istio-kubeconfig istio-kubeconfig Missing secret reference in volume aks-istio-system istiod-asm-1-23-7744d5fbf4-9572m istiod-tls istio-csr-dns-cert Missing secret reference in volume aks-istio-system istiod-asm-1-23-7744d5fbf4-rqzvt cacerts cacerts Missing secret reference in volume aks-istio-system istiod-asm-1-23-7744d5fbf4-rqzvt istio-kubeconfig istio-kubeconfig Missing secret reference in volume aks-istio-system istiod-asm-1-23-7744d5fbf4-rqzvt istiod-tls istio-csr-dns-cert Missing secret reference in volume argocd argocd-application-controller-0 argocd-repo-server-tls argocd-repo-server-tls Missing secret reference in volume argocd argocd-applicationset-controller-6fdf84dbb6-msffz argocd-repo-server-tls argocd-repo-server-tls Missing secret reference in volume argocd argocd-dex-server-556c76889-h4kxj argocd-dex-server-tls argocd-dex-server-tls Missing secret reference in volume argocd argocd-notifications-controller-6ff6bf8dd6-nbktr argocd-repo-server-tls argocd-repo-server-tls Missing secret reference in volume argocd argocd-repo-server-8568fc89b5-sx6ks argocd-repo-server-tls argocd-repo-server-tls Missing secret reference in volume argocd argocd-repo-server-8568fc89b5-xrzzn argocd-repo-server-tls argocd-repo-server-tls Missing secret reference in volume argocd argocd-server-54f9645b87-k4rz8 argocd-repo-server-tls argocd-repo-server-tls Missing secret reference in volume argocd argocd-server-54f9645b87-k4rz8 argocd-dex-server-tls argocd-dex-server-tls Missing secret reference in volume argocd argocd-server-54f9645b87-wwzgz argocd-repo-server-tls argocd-repo-server-tls Missing secret reference in volume argocd argocd-server-54f9645b87-wwzgz argocd-dex-server-tls argocd-dex-server-tls Missing secret reference in volume kiali-operator kiali-5b88cfb6f8-cm8dz kiali kiali-secret Missing secret reference in volume kube-system ama-logs-4v8mz ama-logs-adx-secret ama-logs-adx-secret Missing secret reference in volume kube-system ama-logs-5vr2w ama-logs-adx-secret ama-logs-adx-secret Missing secret reference in volume kube-system ama-logs-fmd7b ama-logs-adx-secret ama-logs-adx-secret Missing secret reference in volume kube-system ama-logs-fpkw6 ama-logs-adx-secret ama-logs-adx-secret Missing secret reference in volume kube-system ama-logs-gqs28 ama-logs-adx-secret ama-logs-adx-secret Missing secret reference in volume kube-system ama-logs-ndxrw ama-logs-adx-secret ama-logs-adx-secret Missing secret reference in volume kube-system ama-logs-rs-64765bd4b9-ldxwl ama-logs-adx-secret ama-logs-adx-secret Missing secret reference in volume kube-system ama-metrics-7f878d975f-hlggb ama-metrics-mtls-secret ama-metrics-tls-secret-vo… Missing secret reference in volume kube-system ama-metrics-7f878d975f-q2mlg ama-metrics-mtls-secret ama-metrics-tls-secret-vo… Missing secret reference in volume kube-system ama-metrics-node-2ssrw ama-metrics-mtls-secret ama-metrics-tls-secret-vo… Missing secret reference in volume kube-system ama-metrics-node-6kkz8 ama-metrics-mtls-secret ama-metrics-tls-secret-vo… Missing secret reference in volume kube-system ama-metrics-node-9h44h ama-metrics-mtls-secret ama-metrics-tls-secret-vo… Missing secret reference in volume kube-system ama-metrics-node-lhk42 ama-metrics-mtls-secret ama-metrics-tls-secret-vo… Missing secret reference in volume kube-system ama-metrics-node-nm5bf ama-metrics-mtls-secret ama-metrics-tls-secret-vo… Missing secret reference in volume kube-system ama-metrics-node-pqcz5 ama-metrics-mtls-secret ama-metrics-tls-secret-vo… Missing secret reference in volume kube-system ama-metrics-operator-targets-66fb46c8d6-vskdg ama-metrics-mtls-secret ama-metrics-tls-secret-vo… Category: Pod Security Severity: High Recommendation: Verify that all Secrets referenced by pods exist in the target namespace. URL: https://kubernetes.io/docs/concepts/configuration/secret/ WRK001 - DaemonSets Not Fully Running Total Issues: 0 ✅ No issues detected for DaemonSets Not Fully Running. Category: Workloads Severity: Warning Recommendation: Investigate DaemonSets not fully running. Common causes include taints, node issues, or resource constraints. URL: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ WRK002 - Deployment Missing Replicas Total Issues: 0 ✅ No issues detected for Deployment Missing Replicas. Category: Workloads Severity: Warning Recommendation: Check Deployments that are not meeting their replica count. This may indicate rollout issues or failed pods. URL: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ WRK003 - StatefulSet Incomplete Rollout Total Issues: 0 ✅ No issues detected for StatefulSet Incomplete Rollout. Category: Workloads Severity: Warning Recommendation: Investigate StatefulSets with missing ready replicas. This may indicate issues with pod readiness or volume binding. URL: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ WRK004 - HPA Misconfiguration or Inactivity Total Issues: 0 ✅ No issues detected for HPA Misconfiguration or Inactivity. Category: Workloads Severity: Warning Recommendation: Review HorizontalPodAutoscalers with missing targets, no metrics, or disabled scaling. URL: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ WRK005 - Missing Resource Requests or Limits Total Issues: 94 Message Namespace Resource Value ------- --------- -------- ----- CPU and Memory Requests and CPU and Memory Limits missing aks-istio-ingress Deployment/aks-istio-ingressgateway-external-asm-1-23 istio-proxy CPU and Memory Requests and CPU and Memory Limits missing aks-istio-system Deployment/istiod-asm-1-23 discovery CPU and Memory Requests and CPU and Memory Limits missing app-routing-system Deployment/nginx controller CPU and Memory Requests and CPU and Memory Limits missing argo-rollouts Deployment/simple-deployment webserver-simple CPU and Memory Requests and CPU and Memory Limits missing argo-workflows Deployment/simple-deployment webserver-simple CPU and Memory Requests and CPU and Memory Limits missing argocd Deployment/argocd-applicationset-controller argocd-applicationse… CPU and Memory Requests and CPU and Memory Limits missing argocd Deployment/argocd-dex-server dex CPU and Memory Requests and CPU and Memory Limits missing argocd Deployment/argocd-dex-server copyutil CPU and Memory Requests and CPU and Memory Limits missing argocd Deployment/argocd-notifications-controller argocd-notifications… CPU and Memory Requests and CPU and Memory Limits missing argocd Deployment/argocd-redis-ha-haproxy haproxy CPU and Memory Requests and CPU and Memory Limits missing argocd Deployment/argocd-redis-ha-haproxy secret-init CPU and Memory Requests and CPU and Memory Limits missing argocd Deployment/argocd-redis-ha-haproxy config-init CPU and Memory Requests and CPU and Memory Limits missing argocd Deployment/argocd-repo-server argocd-repo-server CPU and Memory Requests and CPU and Memory Limits missing argocd Deployment/argocd-repo-server copyutil CPU and Memory Requests and CPU and Memory Limits missing argocd Deployment/argocd-server argocd-server CPU and Memory Requests and CPU and Memory Limits missing cert-manager Deployment/simple-deployment webserver-simple CPU and Memory Requests and CPU and Memory Limits missing gatekeeper-system Deployment/gatekeeper-audit gatekeeper-audit-con… CPU and Memory Requests and CPU and Memory Limits missing gatekeeper-system Deployment/gatekeeper-controller gatekeeper-controlle… CPU and Memory Requests and CPU and Memory Limits missing grafana Deployment/simple-deployment webserver-simple CPU and Memory Requests and CPU and Memory Limits missing kiali-operator Deployment/kiali kiali CPU and Memory Requests and CPU and Memory Limits missing kiali-operator Deployment/kiali-operator operator CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/ama-logs-rs ama-logs CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/ama-metrics prometheus-collector CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/ama-metrics addon-token-adapter CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/ama-metrics-ksm ama-metrics-ksm CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/ama-metrics-operator-targets targetallocator CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/ama-metrics-operator-targets config-reader CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/azure-policy azure-policy CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/azure-policy-webhook azure-policy-webhook CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/azure-wi-webhook-controller-manager manager CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/coredns coredns CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/coredns-autoscaler autoscaler CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/eraser-controller-manager manager CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/extension-agent extension-agent CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/extension-agent fluent-bit CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/extension-operator manager CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/extension-operator fluent-bit CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/keda-admission-webhooks keda-admission-webho… CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/keda-operator keda-operator CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/keda-operator-metrics-apiserver keda-operator-metric… CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/konnectivity-agent konnectivity-agent CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/konnectivity-agent-autoscaler autoscaler CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/metrics-server metrics-server-vpa CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/metrics-server metrics-server CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/microsoft-defender-collector-misc microsoft-defender-p… CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/vpa-admission-controller admission-controller CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/vpa-recommender recommender CPU and Memory Requests and CPU and Memory Limits missing kube-system Deployment/vpa-updater updater CPU and Memory Requests and CPU and Memory Limits missing kubeview Deployment/simple-deployment webserver-simple CPU and Memory Requests and CPU and Memory Limits missing linkerd Deployment/simple-deployment webserver-simple CPU and Memory Requests and CPU and Memory Limits missing nginx Deployment/simple-deployment webserver-simple CPU and Memory Requests and CPU and Memory Limits missing pets Deployment/order-service order-service CPU and Memory Requests and CPU and Memory Limits missing pets Deployment/order-service wait-for-rabbitmq CPU and Memory Requests and CPU and Memory Limits missing pets Deployment/product-service product-service CPU and Memory Requests and CPU and Memory Limits missing pets Deployment/store-front store-front CPU and Memory Requests and CPU and Memory Limits missing prometheus Deployment/simple-deployment webserver-simple CPU and Memory Requests and CPU and Memory Limits missing sealed-secrets Deployment/simple-deployment webserver-simple CPU and Memory Requests and CPU and Memory Limits missing test Deployment/simple-deployment webserver-simple CPU and Memory Requests and CPU and Memory Limits missing argocd StatefulSet/argocd-application-controller argocd-application-c… CPU and Memory Requests and CPU and Memory Limits missing argocd StatefulSet/argocd-redis-ha-server redis CPU and Memory Requests and CPU and Memory Limits missing argocd StatefulSet/argocd-redis-ha-server sentinel CPU and Memory Requests and CPU and Memory Limits missing argocd StatefulSet/argocd-redis-ha-server split-brain-fix CPU and Memory Requests and CPU and Memory Limits missing argocd StatefulSet/argocd-redis-ha-server config-init CPU and Memory Requests and CPU and Memory Limits missing pets StatefulSet/rabbitmq rabbitmq CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/aks-secrets-store-csi-driver node-driver-registrar CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/aks-secrets-store-csi-driver secrets-store CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/aks-secrets-store-csi-driver liveness-probe CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/aks-secrets-store-csi-driver-windows node-driver-registrar CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/aks-secrets-store-csi-driver-windows secrets-store CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/aks-secrets-store-csi-driver-windows liveness-probe CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/aks-secrets-store-provider-azure provider-azure-insta… CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/aks-secrets-store-provider-azure-windows provider-azure-insta… CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/ama-logs ama-logs CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/ama-logs ama-logs-prometheus CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/ama-logs-windows ama-logs-windows CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/ama-metrics-node prometheus-collector CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/ama-metrics-node addon-token-adapter CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/ama-metrics-win-node prometheus-collector CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/ama-metrics-win-node addon-token-adapter-… CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/azure-ip-masq-agent azure-ip-masq-agent CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/azure-npm azure-npm CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/azure-npm block-wireserver CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/cloud-node-manager cloud-node-manager CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/cloud-node-manager-windows cloud-node-manager CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/kube-proxy kube-proxy CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/kube-proxy kube-proxy-bootstrap CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/microsoft-defender-collector-ds microsoft-defender-p… CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/microsoft-defender-collector-ds microsoft-defender-l… CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/microsoft-defender-publisher-ds microsoft-defender-p… CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/microsoft-defender-publisher-ds old-file-cleaner CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/retina-agent retina CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/retina-agent retina-agent-init CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/retina-agent-win retinawin CPU and Memory Requests and CPU and Memory Limits missing kube-system DaemonSet/windows-kube-proxy-initializer pause Category: Workloads Severity: Warning Recommendation: Specify resource requests and limits on all containers. URL: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ WRK006 - PDB Coverage and Effectiveness Total Issues: 25 Issue Kind Name Namespace ----- ---- ---- --------- ⚠️ maxUnavailable = 100% PDB nginx app-routing-system ❌ No matching PDB Deployment simple-deployment argo-rollouts ❌ No matching PDB Deployment simple-deployment argo-workflows ❌ No matching PDB Deployment argocd-applicationset-controller argocd ❌ No matching PDB Deployment argocd-dex-server argocd ❌ No matching PDB Deployment argocd-notifications-controller argocd ❌ No matching PDB Deployment argocd-redis-ha-haproxy argocd ❌ No matching PDB Deployment argocd-repo-server argocd ❌ No matching PDB Deployment argocd-server argocd ❌ No matching PDB Deployment simple-deployment cert-manager ❌ No matching PDB Deployment simple-deployment grafana ❌ No matching PDB Deployment kiali kiali-operator ❌ No matching PDB Deployment kiali-operator kiali-operator ❌ No matching PDB Deployment simple-deployment kubeview ❌ No matching PDB Deployment simple-deployment linkerd ❌ No matching PDB Deployment simple-deployment nginx ❌ No matching PDB Deployment order-service pets ❌ No matching PDB Deployment product-service pets ❌ No matching PDB Deployment store-front pets ❌ No matching PDB Deployment simple-deployment prometheus ❌ No matching PDB Deployment simple-deployment sealed-secrets ❌ No matching PDB Deployment simple-deployment test ❌ No matching PDB StatefulSet argocd-application-controller argocd ❌ No matching PDB StatefulSet argocd-redis-ha-server argocd ❌ No matching PDB StatefulSet rabbitmq pets Category: PDBs Severity: High Recommendation: Workloads should have a valid PDB to prevent availability issues during disruptions. URL: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ WRK007 - Missing Readiness and Liveness Probes Total Issues: 60 Container Kind Missing Namespace Workload --------- ---- ------- --------- -------- istio-proxy Deployment readiness, liveness aks-istio-ingress aks-istio-ingressgateway-external-asm-1-23 discovery Deployment liveness aks-istio-system istiod-asm-1-23 webserver-simple Deployment readiness, liveness argo-rollouts simple-deployment webserver-simple Deployment readiness, liveness argo-workflows simple-deployment argocd-applicationset-controller Deployment readiness, liveness argocd argocd-applicationset-controller dex Deployment readiness, liveness argocd argocd-dex-server argocd-notifications-controller Deployment readiness argocd argocd-notifications-controller webserver-simple Deployment readiness, liveness cert-manager simple-deployment webserver-simple Deployment readiness, liveness grafana simple-deployment ama-logs Deployment readiness kube-system ama-logs-rs prometheus-collector Deployment readiness kube-system ama-metrics addon-token-adapter Deployment readiness kube-system ama-metrics targetallocator Deployment readiness kube-system ama-metrics-operator-targets config-reader Deployment readiness kube-system ama-metrics-operator-targets autoscaler Deployment readiness kube-system coredns-autoscaler extension-agent Deployment readiness, liveness kube-system extension-agent fluent-bit Deployment readiness, liveness kube-system extension-agent manager Deployment readiness, liveness kube-system extension-operator fluent-bit Deployment readiness, liveness kube-system extension-operator autoscaler Deployment readiness kube-system konnectivity-agent-autoscaler metrics-server-vpa Deployment readiness, liveness kube-system metrics-server microsoft-defender-pod-collector Deployment readiness, liveness kube-system microsoft-defender-collector-misc admission-controller Deployment readiness, liveness kube-system vpa-admission-controller recommender Deployment readiness, liveness kube-system vpa-recommender updater Deployment readiness, liveness kube-system vpa-updater webserver-simple Deployment readiness, liveness kubeview simple-deployment webserver-simple Deployment readiness, liveness linkerd simple-deployment webserver-simple Deployment readiness, liveness nginx simple-deployment webserver-simple Deployment readiness, liveness prometheus simple-deployment webserver-simple Deployment readiness, liveness sealed-secrets simple-deployment webserver-simple Deployment readiness, liveness test simple-deployment argocd-application-controller StatefulSet liveness argocd argocd-application-controller split-brain-fix StatefulSet readiness, liveness argocd argocd-redis-ha-server rabbitmq StatefulSet readiness, liveness pets rabbitmq node-driver-registrar DaemonSet readiness kube-system aks-secrets-store-csi-driver secrets-store DaemonSet readiness kube-system aks-secrets-store-csi-driver liveness-probe DaemonSet readiness, liveness kube-system aks-secrets-store-csi-driver node-driver-registrar DaemonSet readiness kube-system aks-secrets-store-csi-driver-windows secrets-store DaemonSet readiness kube-system aks-secrets-store-csi-driver-windows liveness-probe DaemonSet readiness, liveness kube-system aks-secrets-store-csi-driver-windows provider-azure-installer DaemonSet readiness kube-system aks-secrets-store-provider-azure provider-azure-installer DaemonSet readiness kube-system aks-secrets-store-provider-azure-windows ama-logs DaemonSet readiness kube-system ama-logs ama-logs-prometheus DaemonSet readiness kube-system ama-logs ama-logs-windows DaemonSet readiness kube-system ama-logs-windows prometheus-collector DaemonSet readiness kube-system ama-metrics-node addon-token-adapter DaemonSet readiness kube-system ama-metrics-node prometheus-collector DaemonSet readiness kube-system ama-metrics-win-node addon-token-adapter-win DaemonSet readiness kube-system ama-metrics-win-node azure-ip-masq-agent DaemonSet readiness, liveness kube-system azure-ip-masq-agent azure-npm DaemonSet readiness, liveness kube-system azure-npm cloud-node-manager DaemonSet readiness, liveness kube-system cloud-node-manager cloud-node-manager DaemonSet readiness, liveness kube-system cloud-node-manager-windows kube-proxy DaemonSet readiness, liveness kube-system kube-proxy microsoft-defender-pod-collector DaemonSet readiness, liveness kube-system microsoft-defender-collector-ds microsoft-defender-low-level-collector DaemonSet readiness, liveness kube-system microsoft-defender-collector-ds microsoft-defender-publisher DaemonSet readiness, liveness kube-system microsoft-defender-publisher-ds retina DaemonSet liveness kube-system retina-agent retinawin DaemonSet readiness, liveness kube-system retina-agent-win pause DaemonSet readiness, liveness kube-system windows-kube-proxy-initializer Category: Probes Severity: Medium Recommendation: Add readiness and liveness probes to all containers to improve availability and fault detection. URL: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ WRK008 - Deployment Selector Without Matching Pods Total Issues: 0 ✅ No issues detected for Deployment Selector Without Matching Pods. Category: Workloads Severity: Medium Recommendation: Ensure that pod labels match the Deployment selector. URL: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ [CFG001 - Orphaned ConfigMaps] Section: Configuration Hygiene Category: Best Practices Severity: Medium Recommendation: Delete unused ConfigMaps to clean up the cluster and reduce confusion. URL: https://kubernetes.io/docs/concepts/configuration/configmap/ ⚠️ Total Issues: 20 - Message: ConfigMap is not used by any workloads or services. | Namespace: aks-istio-system | Resource: configmap/istio-asm-1-23 | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: aks-istio-system | Resource: configmap/istio-gateway-status-leader | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: aks-istio-system | Resource: configmap/istio-leader | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: aks-istio-system | Resource: configmap/istio-namespace-controller-election | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: aks-istio-system | Resource: configmap/istio-sidecar-injector-asm-1-23 | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: app-routing-system | Resource: configmap/nginx | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: argocd | Resource: configmap/argocd-notifications-cm | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: argocd | Resource: configmap/argocd-rbac-cm | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: kube-system | Resource: configmap/azure-ip-masq-agent-config-reconciled | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: kube-system | Resource: configmap/cluster-autoscaler-status | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: kube-system | Resource: configmap/container-azm-ms-aks-k8scluster | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: kube-system | Resource: configmap/coredns-autoscaler | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: kube-system | Resource: configmap/eraser-system-exclusion | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: kube-system | Resource: configmap/extension-apiserver-authentication | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: kube-system | Resource: configmap/extension-immutable-values | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: kube-system | Resource: configmap/extensioncontrollerleaderid-lock | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: kube-system | Resource: configmap/konnectivity-agent-autoscaler | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: kube-system | Resource: configmap/kube-apiserver-legacy-service-account-token-tracking | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: kube-system | Resource: configmap/overlay-upgrade-data | Value: - - Message: ConfigMap is not used by any workloads or services. | Namespace: kube-system | Resource: configmap/retina-config-win | Value: - [CFG002 - Duplicate ConfigMap Names] Section: Configuration Hygiene Category: Best Practices Severity: Medium Recommendation: Avoid using the same ConfigMap name across namespaces to reduce confusion and misconfiguration risk. URL: https://kubernetes.io/docs/concepts/configuration/configmap/ ⚠️ Total Issues: 2 - Message: Found in namespaces: 1, 10, 2, 3, 4, 5, 6, 7, 8, 9, aks-istio-egress, aks-istio-ingress, aks-istio-system, app-routing-system, argo-rollouts, argo-workflows, argocd, cert-manager, default, gatekeeper-system, grafana, kiali-operator, kube-system, kubeview, linkerd, nginx, pets, prometheus, sealed-secrets, test | Namespace: - | Resource: istio-ca-root-cert | Value: - - Message: Found in namespaces: 1, 10, 2, 3, 4, 5, 6, 7, 8, 9, aks-istio-egress, aks-istio-ingress, aks-istio-system, app-routing-system, argo-rollouts, argo-workflows, argocd, cert-manager, default, gatekeeper-system, grafana, kiali-operator, kube-node-lease, kube-public, kube-system, kubeview, linkerd, nginx, pets, prometheus, sealed-secrets, test | Namespace: - | Resource: kube-root-ca.crt | Value: - [CFG003 - Large ConfigMaps] Section: Configuration Hygiene Category: Best Practices Severity: Medium Recommendation: Avoid storing large data in ConfigMaps. Consider using PersistentVolumes or Secrets instead. URL: https://kubernetes.io/docs/concepts/configuration/configmap/ ✅ No issues detected for Large ConfigMaps. [EVENT001 - Grouped Warning Events] Section: Kubernetes Events Category: Events Severity: medium Recommendation: Check for recurring issues. Investigate sources using `kubectl describe` or logs. URL: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#event-v1-core ✅ No issues detected for Grouped Warning Events. [EVENT002 - Full Warning Event Log] Section: Kubernetes Events Category: Events Severity: medium Recommendation: Review recent warnings. Correlate events with impacted resources. URL: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#event-v1-core ✅ No issues detected for Full Warning Event Log. [JOB001 - Stuck Kubernetes Jobs] Section: Jobs Category: Jobs Severity: medium Recommendation: Jobs that haven't completed may be stuck due to node issues, misconfiguration, or missing pods. URL: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy ✅ No issues detected for Stuck Kubernetes Jobs. [JOB002 - Failed Kubernetes Jobs] Section: Jobs Category: Jobs Severity: high Recommendation: Review job logs and resource constraints to identify cause of failure. URL: https://kubernetes.io/docs/concepts/workloads/controllers/job/#handling-pod-and-container-failures ✅ No issues detected for Failed Kubernetes Jobs. [NET001 - Services Without Endpoints] Section: Networking Category: Networking Severity: High Recommendation: Check if the service selector matches any pods. Ensure the backing pods are running and ready. URL: https://kubernetes.io/docs/concepts/services-networking/service/ ⚠️ Total Issues: 3 - Message: No endpoints available | Namespace: kube-system | Resource: service/extension-agent-metrics-service | Value: extension-agent-metrics-service - Message: No endpoints available | Namespace: kube-system | Resource: service/extension-operator-metrics-service | Value: extension-operator-metrics-service - Message: No endpoints available | Namespace: kube-system | Resource: service/network-observability | Value: network-observability [NET002 - Publicly Accessible Services] Section: Networking Category: Networking Severity: High Recommendation: Audit services of type LoadBalancer or NodePort. Limit exposure with firewalls or internal IP ranges. URL: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services ⚠️ Total Issues: 4 - Message: Exposed via external IP: 131.145.32.126 | Namespace: aks-istio-ingress | Resource: service/aks-istio-ingressgateway-external | Value: LoadBalancer - Message: Exposed via external IP: 4.250.59.60 | Namespace: app-routing-system | Resource: service/nginx | Value: LoadBalancer - Message: Exposed via external IP: 85.210.102.171 | Namespace: pets | Resource: service/store-front | Value: LoadBalancer - Message: Exposed via NodePort | Namespace: test | Resource: service/simple-service | Value: NodePort [NET003 - Ingress Health Validation] Section: Networking Category: Networking Severity: High Recommendation: Fix invalid ingress definitions including missing TLS secrets, backend services, and path issues. URL: https://kubernetes.io/docs/concepts/services-networking/ingress/ ✅ No issues detected for Ingress Health Validation. [NET004 - Namespace Missing Network Policy] Section: Networking Category: Security Severity: Medium Recommendation: Apply a default deny-all ingress/egress NetworkPolicy in each namespace that hosts workloads, then selectively allow traffic as needed. URL: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ⚠️ Total Issues: 16 - Issue: No NetworkPolicy in active namespace | Namespace: aks-istio-ingress | Pods: 2 | Policies: 0 - Issue: No NetworkPolicy in active namespace | Namespace: aks-istio-system | Pods: 2 | Policies: 0 - Issue: No NetworkPolicy in active namespace | Namespace: app-routing-system | Pods: 2 | Policies: 0 - Issue: No NetworkPolicy in active namespace | Namespace: argo-rollouts | Pods: 1 | Policies: 0 - Issue: No NetworkPolicy in active namespace | Namespace: argo-workflows | Pods: 1 | Policies: 0 - Issue: No NetworkPolicy in active namespace | Namespace: cert-manager | Pods: 1 | Policies: 0 - Issue: No NetworkPolicy in active namespace | Namespace: gatekeeper-system | Pods: 3 | Policies: 0 - Issue: No NetworkPolicy in active namespace | Namespace: grafana | Pods: 1 | Policies: 0 - Issue: No NetworkPolicy in active namespace | Namespace: kiali-operator | Pods: 2 | Policies: 0 - Issue: No NetworkPolicy in active namespace | Namespace: kubeview | Pods: 1 | Policies: 0 - Issue: No NetworkPolicy in active namespace | Namespace: linkerd | Pods: 1 | Policies: 0 - Issue: No NetworkPolicy in active namespace | Namespace: nginx | Pods: 1 | Policies: 0 - Issue: No NetworkPolicy in active namespace | Namespace: pets | Pods: 4 | Policies: 0 - Issue: No NetworkPolicy in active namespace | Namespace: prometheus | Pods: 1 | Policies: 0 - Issue: No NetworkPolicy in active namespace | Namespace: sealed-secrets | Pods: 1 | Policies: 0 - Issue: No NetworkPolicy in active namespace | Namespace: test | Pods: 1 | Policies: 0 [NODE001 - Node Readiness and Conditions] Section: Nodes Category: Nodes Severity: High Recommendation: Investigate NotReady nodes to avoid workload disruption. URL: https://kubernetes.io/docs/concepts/architecture/nodes/ ✅ No issues detected for Node Readiness and Conditions. [NODE002 - Node Resource Pressure] Section: Nodes Category: Nodes Severity: Medium Recommendation: Investigate and rebalance workloads on nodes with high resource usage. URL: https://kubernetes.io/docs/tasks/debug/debug-cluster/resource-usage-monitoring/ ⚠️ Total Issues: 2 - CPU %: 9.26% | CPU Status: ✅ Normal | CPU Total: 1900 mC | CPU Used: 176 mC | Disk %: 52% | Disk Status: ✅ Normal | Mem %: 52.17% | Mem Status: 🟡 Warning | Mem Total: 6533 Mi | Mem Used: 3408 Mi | Node: aks-systempool-19995743-vmss00000m - CPU %: 8.68% | CPU Status: ✅ Normal | CPU Total: 1900 mC | CPU Used: 165 mC | Disk %: 50% | Disk Status: ✅ Normal | Mem %: 50.16% | Mem Status: 🟡 Warning | Mem Total: 6533 Mi | Mem Used: 3277 Mi | Node: aks-systempool-19995743-vmss00000n - CPU %: 7.68% | CPU Status: ✅ Normal | CPU Total: 1900 mC | CPU Used: 146 mC | Disk %: 49% | Disk Status: ✅ Normal | Mem %: 49.17% | Mem Status: ✅ Normal | Mem Total: 6533 Mi | Mem Used: 3212 Mi | Node: aks-systempool-19995743-vmss00000o - CPU %: 31.11% | CPU Status: ✅ Normal | CPU Total: 3860 mC | CPU Used: 1201 mC | Disk %: 22% | Disk Status: ✅ Normal | Mem %: 22.69% | Mem Status: ✅ Normal | Mem Total: 14584 Mi | Mem Used: 3309 Mi | Node: aks-workloadpool-10479701-vmss00000e - CPU %: 30.23% | CPU Status: ✅ Normal | CPU Total: 3860 mC | CPU Used: 1167 mC | Disk %: 16% | Disk Status: ✅ Normal | Mem %: 16.99% | Mem Status: ✅ Normal | Mem Total: 14584 Mi | Mem Used: 2478 Mi | Node: aks-workloadpool-10479701-vmss00000f - CPU %: 3.68% | CPU Status: ✅ Normal | CPU Total: 3860 mC | CPU Used: 142 mC | Disk %: 14% | Disk Status: ✅ Normal | Mem %: 14.11% | Mem Status: ✅ Normal | Mem Total: 14584 Mi | Mem Used: 2058 Mi | Node: aks-workloadpool-10479701-vmss00000g [NS001 - Empty Namespaces] Section: Namespaces Category: Namespaces Severity: low Recommendation: These may be stale or unused and safe to delete after verifying they contain no critical resources. URL: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ ⚠️ Total Issues: 14 - Namespace: 1 | Status: 📂 Empty - Namespace: 10 | Status: 📂 Empty - Namespace: 2 | Status: 📂 Empty - Namespace: 3 | Status: 📂 Empty - Namespace: 4 | Status: 📂 Empty - Namespace: 5 | Status: 📂 Empty - Namespace: 6 | Status: 📂 Empty - Namespace: 7 | Status: 📂 Empty - Namespace: 8 | Status: 📂 Empty - Namespace: 9 | Status: 📂 Empty - Namespace: aks-istio-egress | Status: 📂 Empty - Namespace: default | Status: 📂 Empty - Namespace: kube-node-lease | Status: 📂 Empty - Namespace: kube-public | Status: 📂 Empty [NS002 - Missing or Weak ResourceQuotas] Section: Namespaces Category: Namespaces Severity: medium Recommendation: Apply CPU, memory, and pod quotas to enforce fair resource usage. URL: https://kubernetes.io/docs/concepts/policy/resource-quotas/ ⚠️ Total Issues: 32 - Issue: ❌ No ResourceQuota | Namespace: 1 - Issue: ❌ No ResourceQuota | Namespace: 10 - Issue: ❌ No ResourceQuota | Namespace: 2 - Issue: ❌ No ResourceQuota | Namespace: 3 - Issue: ❌ No ResourceQuota | Namespace: 4 - Issue: ❌ No ResourceQuota | Namespace: 5 - Issue: ❌ No ResourceQuota | Namespace: 6 - Issue: ❌ No ResourceQuota | Namespace: 7 - Issue: ❌ No ResourceQuota | Namespace: 8 - Issue: ❌ No ResourceQuota | Namespace: 9 - Issue: ❌ No ResourceQuota | Namespace: aks-istio-egress - Issue: ❌ No ResourceQuota | Namespace: aks-istio-ingress - Issue: ❌ No ResourceQuota | Namespace: aks-istio-system - Issue: ❌ No ResourceQuota | Namespace: app-routing-system - Issue: ❌ No ResourceQuota | Namespace: argo-rollouts - Issue: ❌ No ResourceQuota | Namespace: argo-workflows - Issue: ❌ No ResourceQuota | Namespace: argocd - Issue: ❌ No ResourceQuota | Namespace: cert-manager - Issue: ❌ No ResourceQuota | Namespace: default - Issue: ❌ No ResourceQuota | Namespace: gatekeeper-system - Issue: ❌ No ResourceQuota | Namespace: grafana - Issue: ❌ No ResourceQuota | Namespace: kiali-operator - Issue: ❌ No ResourceQuota | Namespace: kube-node-lease - Issue: ❌ No ResourceQuota | Namespace: kube-public - Issue: ❌ No ResourceQuota | Namespace: kube-system - Issue: ❌ No ResourceQuota | Namespace: kubeview - Issue: ❌ No ResourceQuota | Namespace: linkerd - Issue: ❌ No ResourceQuota | Namespace: nginx - Issue: ❌ No ResourceQuota | Namespace: pets - Issue: ❌ No ResourceQuota | Namespace: prometheus - Issue: ❌ No ResourceQuota | Namespace: sealed-secrets - Issue: ❌ No ResourceQuota | Namespace: test [NS003 - Missing LimitRanges] Section: Namespaces Category: Namespaces Severity: medium Recommendation: Define default CPU and memory limits to avoid unbounded pod usage. URL: https://kubernetes.io/docs/concepts/policy/limit-range/ ⚠️ Total Issues: 32 - Issue: ❌ No LimitRange | Namespace: 1 - Issue: ❌ No LimitRange | Namespace: 10 - Issue: ❌ No LimitRange | Namespace: 2 - Issue: ❌ No LimitRange | Namespace: 3 - Issue: ❌ No LimitRange | Namespace: 4 - Issue: ❌ No LimitRange | Namespace: 5 - Issue: ❌ No LimitRange | Namespace: 6 - Issue: ❌ No LimitRange | Namespace: 7 - Issue: ❌ No LimitRange | Namespace: 8 - Issue: ❌ No LimitRange | Namespace: 9 - Issue: ❌ No LimitRange | Namespace: aks-istio-egress - Issue: ❌ No LimitRange | Namespace: aks-istio-ingress - Issue: ❌ No LimitRange | Namespace: aks-istio-system - Issue: ❌ No LimitRange | Namespace: app-routing-system - Issue: ❌ No LimitRange | Namespace: argo-rollouts - Issue: ❌ No LimitRange | Namespace: argo-workflows - Issue: ❌ No LimitRange | Namespace: argocd - Issue: ❌ No LimitRange | Namespace: cert-manager - Issue: ❌ No LimitRange | Namespace: default - Issue: ❌ No LimitRange | Namespace: gatekeeper-system - Issue: ❌ No LimitRange | Namespace: grafana - Issue: ❌ No LimitRange | Namespace: kiali-operator - Issue: ❌ No LimitRange | Namespace: kube-node-lease - Issue: ❌ No LimitRange | Namespace: kube-public - Issue: ❌ No LimitRange | Namespace: kube-system - Issue: ❌ No LimitRange | Namespace: kubeview - Issue: ❌ No LimitRange | Namespace: linkerd - Issue: ❌ No LimitRange | Namespace: nginx - Issue: ❌ No LimitRange | Namespace: pets - Issue: ❌ No LimitRange | Namespace: prometheus - Issue: ❌ No LimitRange | Namespace: sealed-secrets - Issue: ❌ No LimitRange | Namespace: test [POD001 - Pods with High Restarts] Section: Pods Category: Workloads Severity: Warning Recommendation: Review logs and events for frequently restarting pods and address root causes such as crashes, missing configs, or failing probes. URL: https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#application-crashes ✅ No issues detected for Pods with High Restarts. [POD002 - Long Running Pods] Section: Pods Category: Workloads Severity: Warning Recommendation: Review long-running pods and determine if they should be restarted or replaced by updated deployments. URL: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase ✅ No issues detected for Long Running Pods. [POD003 - Failed Pods] Section: Pods Category: Workloads Severity: Error Recommendation: Investigate failed pods for common issues like image errors, resource constraints, or crash loops. URL: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase ✅ No issues detected for Failed Pods. [POD004 - Pending Pods] Section: Pods Category: Workloads Severity: Warning Recommendation: Inspect scheduling constraints, resource availability, and missing dependencies. URL: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase ✅ No issues detected for Pending Pods. [POD005 - CrashLoopBackOff Pods] Section: Pods Category: Workloads Severity: Error Recommendation: Check logs, investigate container errors, and fix misconfigurations. URL: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy ✅ No issues detected for CrashLoopBackOff Pods. [POD006 - Leftover Debug Pods] Section: Pods Category: Workloads Severity: Warning Recommendation: Delete any leftover debug pods and review your debugging practices. URL: https://kubernetes.io/docs/tasks/debug/debug-cluster/debug-running-pod/ ✅ No issues detected for Leftover Debug Pods. [POD007 - Container images do not use latest tag] Section: Pods Category: Resource Management Severity: High Recommendation: Specify an explicit image tag (e.g., ':v1.2.3') to ensure consistent deployments. URL: https://kubernetes.io/docs/concepts/containers/images/#image-tags ⚠️ Total Issues: 3 - Message: Container image uses the 'latest' tag, which can lead to unpredictable deployments. | Namespace: pets | Resource: pod/order-service-6c5bfb6946-b58xq | Value: ghcr.io/azure-samples/aks-store-demo/order-service:latest, mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless - Message: Container image uses the 'latest' tag, which can lead to unpredictable deployments. | Namespace: pets | Resource: pod/product-service-5dd87dfb8-ssfxc | Value: ghcr.io/azure-samples/aks-store-demo/product-service:latest, mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless - Message: Container image uses the 'latest' tag, which can lead to unpredictable deployments. | Namespace: pets | Resource: pod/store-front-658994fd95-pk9qn | Value: ghcr.io/azure-samples/aks-store-demo/store-front:latest, mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless [PVC001 - Unused Persistent Volume Claims] Section: Storage Category: Volumes Severity: Medium Recommendation: Review and delete unused PVCs to reclaim storage. URL: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ✅ No issues detected for Unused Persistent Volume Claims. [RBAC001 - RBAC Misconfigurations] Section: Security Category: RBAC Severity: High Recommendation: Fix missing roleRefs, service accounts, and invalid namespaces in RoleBindings and ClusterRoleBindings. URL: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ ⚠️ Total Issues: 10 - Message: ServiceAccount not found | Namespace: kube-system | Resource: RoleBinding/system::leader-locking-kube-controller-manager | Value: ServiceAccount/kube-controller-manager - Message: ServiceAccount not found | Namespace: kube-system | Resource: RoleBinding/system::leader-locking-kube-scheduler | Value: ServiceAccount/kube-scheduler - Message: ServiceAccount not found | Namespace: kube-system | Resource: RoleBinding/system:controller:cloud-provider | Value: ServiceAccount/cloud-provider - Message: ServiceAccount not found | Namespace: aks-istio-system | Resource: ClusterRoleBinding/istio-reader-clusterrole-asm-1-23-aks-istio-system | Value: ServiceAccount/istio-reader-service-account - Message: ServiceAccount not found | Namespace: kube-system | Resource: ClusterRoleBinding/secretproviderrotation-rolebinding | Value: ServiceAccount/secrets-store-csi-driver - Message: ServiceAccount not found | Namespace: kube-system | Resource: ClusterRoleBinding/system:azure-cloud-provider | Value: ServiceAccount/azure-cloud-provider - Message: ServiceAccount not found | Namespace: kube-system | Resource: ClusterRoleBinding/system:azure-cloud-provider-secret-getter | Value: ServiceAccount/azure-cloud-provider - Message: ServiceAccount not found | Namespace: kube-system | Resource: ClusterRoleBinding/system:controller:route-controller | Value: ServiceAccount/route-controller - Message: ServiceAccount not found | Namespace: kube-system | Resource: ClusterRoleBinding/system:controller:service-controller | Value: ServiceAccount/service-controller - Message: ServiceAccount not found | Namespace: kube-system | Resource: ClusterRoleBinding/system:kube-dns | Value: ServiceAccount/kube-dns [RBAC002 - RBAC Overexposure] Section: Security Category: RBAC Severity: Critical Recommendation: Avoid cluster-admin, wildcard, and sensitive resource access in roles. Use least privilege. URL: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ ⚠️ Total Issues: 21 - Message: cluster-admin binding (built-in) | Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/aks-cluster-admin-binding | Value: User/clusterAdmin - Message: cluster-admin binding (built-in) | Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/aks-cluster-admin-binding | Value: User/clusterUser - Message: cluster-admin binding (built-in) | Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/aks-cluster-admin-binding-aad | Value: Group/e591c663-c79c-47a4-94b8-f646b8647046 - Message: Access to sensitive resources | Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/aks-secretprovidersyncing-rolebinding | Value: ServiceAccount/aks-secrets-store-csi-driver - Message: Access to sensitive resources | Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/aks-service-rolebinding | Value: User/aks-support - Message: Wildcard permission role | Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/argocd-application-controller | Value: ServiceAccount/argocd-application-controller - Message: cluster-admin binding (built-in) | Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/cluster-admin | Value: Group/system:masters - Message: cluster-admin binding (built-in) | Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/extension-operator | Value: ServiceAccount/extension-operatorsa - Message: Access to sensitive resources | Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/kiali-operator | Value: ServiceAccount/kiali-operator - Message: Access to sensitive resources (built-in) | Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/system:controller:clusterrole-aggregation-controller | Value: ServiceAccount/clusterrole-aggregation-controller - Message: Access to sensitive resources (built-in) | Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/system:controller:legacy-service-account-token-cleaner | Value: ServiceAccount/legacy-service-account-token-cleaner - Message: Access to sensitive resources (built-in) | Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/system:kube-controller-manager | Value: User/system:kube-controller-manager - Message: Access to sensitive resources (built-in) | Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/system:kube-scheduler | Value: User/system:kube-scheduler - Message: Access to sensitive resources (built-in) | Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/system:persistent-volume-binding | Value: ServiceAccount/persistent-volume-binder - Message: Access to sensitive resources | Namespace: aks-istio-system | Resource: RoleBinding/istiod-asm-1-23 | Value: ServiceAccount/istiod-asm-1-23 - Message: Access to sensitive resources | Namespace: argocd | Resource: RoleBinding/argocd-redis-ha-haproxy | Value: ServiceAccount/argocd-redis-ha-haproxy - Message: Access to sensitive resources | Namespace: argocd | Resource: RoleBinding/argocd-server | Value: ServiceAccount/argocd-server - Message: Access to sensitive resources | Namespace: gatekeeper-system | Resource: RoleBinding/gatekeeper-manager-rolebinding | Value: ServiceAccount/gatekeeper-admin - Message: Access to sensitive resources | Namespace: kube-system | Resource: RoleBinding/azure-policy-webhook-rolebinding | Value: ServiceAccount/azure-policy-webhook-account - Message: Access to sensitive resources | Namespace: kube-system | Resource: RoleBinding/keda-operator-certs | Value: ServiceAccount/keda-operator - Message: Access to sensitive resources | Namespace: kube-system | Resource: RoleBinding/system:controller:token-cleaner | Value: ServiceAccount/token-cleaner [RBAC003 - Orphaned ServiceAccounts] Section: Security Category: RBAC Severity: Medium Recommendation: Clean up unused ServiceAccounts to avoid confusion and reduce RBAC clutter. URL: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/ ⚠️ Total Issues: 20 - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: 1 | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: 10 | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: 2 | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: 3 | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: 4 | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: 5 | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: 6 | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: 7 | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: 8 | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: 9 | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: aks-istio-egress | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: aks-istio-ingress | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: aks-istio-system | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: app-routing-system | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: argocd | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: default | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: gatekeeper-system | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: kiali-operator | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: kube-node-lease | Resource: serviceaccount/default | Value: default - Message: ServiceAccount not used by pods or RBAC bindings | Namespace: kube-public | Resource: serviceaccount/default | Value: default [RBAC004 - Orphaned and Ineffective Roles] Section: Security Category: RBAC Severity: Low Recommendation: Delete Roles and ClusterRoles that are not bound or do not define any rules. URL: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ ⚠️ Total Issues: 4 - Message: ClusterRoleBinding has no subjects | Namespace: cluster-wide | Resource: clusterrolebinding/system:node | Value: system:node - Message: Unused ClusterRole | Namespace: cluster-wide | Resource: clusterrole/aks-secretproviderclasses-admin-role | Value: aks-secretproviderclasses-admin-role - Message: Unused ClusterRole | Namespace: cluster-wide | Resource: clusterrole/aks-secretproviderclasses-viewer-role | Value: aks-secretproviderclasses-viewer-role - Message: ClusterRole has no rules | Namespace: cluster-wide | Resource: clusterrole/eraser-imagejob-pods-cluster-role | Value: eraser-imagejob-pods-cluster-role [SEC001 - Orphaned Secrets] Section: Security Category: Security Severity: Medium Recommendation: Review and remove unused Secrets to reduce surface area and limit stale credentials. URL: https://kubernetes.io/docs/concepts/configuration/secret/ ⚠️ Total Issues: 10 - Message: Secret appears unused across workloads, ingresses, service accounts, or CRs | Namespace: aks-istio-system | Resource: secret/istio-ca-secret | Value: istio-ca-secret - Message: Secret appears unused across workloads, ingresses, service accounts, or CRs | Namespace: argocd | Resource: secret/argocd-initial-admin-secret | Value: argocd-initial-admin-secret - Message: Secret appears unused across workloads, ingresses, service accounts, or CRs | Namespace: argocd | Resource: secret/argocd-notifications-secret | Value: argocd-notifications-secret - Message: Secret appears unused across workloads, ingresses, service accounts, or CRs | Namespace: argocd | Resource: secret/argocd-secret | Value: argocd-secret - Message: Secret appears unused across workloads, ingresses, service accounts, or CRs | Namespace: argocd | Resource: secret/repo-1114886772 | Value: repo-1114886772 - Message: Secret appears unused across workloads, ingresses, service accounts, or CRs | Namespace: argocd | Resource: secret/repo-1952242182 | Value: repo-1952242182 - Message: Secret appears unused across workloads, ingresses, service accounts, or CRs | Namespace: kube-system | Resource: secret/aad-msi-auth-token | Value: aad-msi-auth-token - Message: Secret appears unused across workloads, ingresses, service accounts, or CRs | Namespace: kube-system | Resource: secret/azure-policy-webhook-cert | Value: azure-policy-webhook-cert - Message: Secret appears unused across workloads, ingresses, service accounts, or CRs | Namespace: kube-system | Resource: secret/extensions-aad-msi-token | Value: extensions-aad-msi-token - Message: Secret appears unused across workloads, ingresses, service accounts, or CRs | Namespace: kube-system | Resource: secret/omsagent-aad-msi-token | Value: omsagent-aad-msi-token [SEC002 - Pods using hostPID or hostNetwork] Section: Security Category: Pods Severity: High Recommendation: Avoid using hostPID or hostNetwork unless strictly required. These settings reduce isolation and can expose the host. URL: https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline ⚠️ Total Issues: 36 - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-68nhw | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-7bqmn | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-7r458 | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-k9tdc | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-n952g | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-njpqh | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-4522j | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-4c7cr | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-78rnw | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-84ltn | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-t4c2w | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-vbdd8 | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/azure-npm-jsbbh | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/azure-npm-lp6sf | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/azure-npm-nv6xx | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/azure-npm-p6fpw | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/azure-npm-vsrfp | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/azure-npm-z8mcz | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/cloud-node-manager-57rk2 | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/cloud-node-manager-gl5xl | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/cloud-node-manager-l7v5j | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/cloud-node-manager-lr49d | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/cloud-node-manager-n5qdr | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/cloud-node-manager-xwrrd | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/kube-proxy-26xkd | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/kube-proxy-6mrql | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/kube-proxy-9rbxf | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/kube-proxy-njzgk | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/kube-proxy-rvmxl | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/kube-proxy-vp7xj | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/retina-agent-cgv48 | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/retina-agent-gjxk8 | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/retina-agent-js76w | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/retina-agent-lfn7d | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/retina-agent-qc9bs | Value: hostPID=False, hostNetwork=True - Message: Pod uses hostNetwork | Namespace: kube-system | Resource: pod/retina-agent-wlt7b | Value: hostPID=False, hostNetwork=True [SEC003 - Pods Running as Root] Section: Security Category: Pod Security Severity: High Recommendation: Avoid running pods as root by explicitly setting runAsUser to a non-zero UID in pod or container securityContext. URL: https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline ⚠️ Total Issues: 380 - Message: Container runs as root or has no runAsUser set | Namespace: aks-istio-ingress | Resource: pod/aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: aks-istio-ingress | Resource: pod/aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: aks-istio-ingress | Resource: pod/aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: aks-istio-ingress | Resource: pod/aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb | Value: Not Set (Defaults to root) - Message: Container discovery runs as root or has no runAsUser set | Namespace: aks-istio-system | Resource: pod/istiod-asm-1-23-7744d5fbf4-9572m | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: aks-istio-system | Resource: pod/istiod-asm-1-23-7744d5fbf4-9572m | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: aks-istio-system | Resource: pod/istiod-asm-1-23-7744d5fbf4-9572m | Value: Not Set (Defaults to root) - Message: Container discovery runs as root or has no runAsUser set | Namespace: aks-istio-system | Resource: pod/istiod-asm-1-23-7744d5fbf4-rqzvt | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: aks-istio-system | Resource: pod/istiod-asm-1-23-7744d5fbf4-rqzvt | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: aks-istio-system | Resource: pod/istiod-asm-1-23-7744d5fbf4-rqzvt | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: app-routing-system | Resource: pod/nginx-69fcb489fd-4wgk9 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: app-routing-system | Resource: pod/nginx-69fcb489fd-4wgk9 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: app-routing-system | Resource: pod/nginx-69fcb489fd-64v6k | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: app-routing-system | Resource: pod/nginx-69fcb489fd-64v6k | Value: Not Set (Defaults to root) - Message: Container webserver-simple runs as root or has no runAsUser set | Namespace: argo-rollouts | Resource: pod/simple-deployment-74fd649f8d-996vt | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: argo-rollouts | Resource: pod/simple-deployment-74fd649f8d-996vt | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: argo-rollouts | Resource: pod/simple-deployment-74fd649f8d-996vt | Value: Not Set (Defaults to root) - Message: Container webserver-simple runs as root or has no runAsUser set | Namespace: argo-workflows | Resource: pod/simple-deployment-74fd649f8d-24t56 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: argo-workflows | Resource: pod/simple-deployment-74fd649f8d-24t56 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: argo-workflows | Resource: pod/simple-deployment-74fd649f8d-24t56 | Value: Not Set (Defaults to root) - Message: Container argocd-application-controller runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-application-controller-0 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-application-controller-0 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-application-controller-0 | Value: Not Set (Defaults to root) - Message: Container argocd-applicationset-controller runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-applicationset-controller-6fdf84dbb6-msffz | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-applicationset-controller-6fdf84dbb6-msffz | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-applicationset-controller-6fdf84dbb6-msffz | Value: Not Set (Defaults to root) - Message: Container dex runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-dex-server-556c76889-h4kxj | Value: Not Set (Defaults to root) - Message: Container copyutil runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-dex-server-556c76889-h4kxj | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-dex-server-556c76889-h4kxj | Value: Not Set (Defaults to root) - Message: Container argocd-notifications-controller runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-notifications-controller-6ff6bf8dd6-nbktr | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-notifications-controller-6ff6bf8dd6-nbktr | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-notifications-controller-6ff6bf8dd6-nbktr | Value: Not Set (Defaults to root) - Message: Container argocd-repo-server runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-repo-server-8568fc89b5-sx6ks | Value: Not Set (Defaults to root) - Message: Container copyutil runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-repo-server-8568fc89b5-sx6ks | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-repo-server-8568fc89b5-sx6ks | Value: Not Set (Defaults to root) - Message: Container argocd-repo-server runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-repo-server-8568fc89b5-xrzzn | Value: Not Set (Defaults to root) - Message: Container copyutil runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-repo-server-8568fc89b5-xrzzn | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-repo-server-8568fc89b5-xrzzn | Value: Not Set (Defaults to root) - Message: Container argocd-server runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-server-54f9645b87-k4rz8 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-server-54f9645b87-k4rz8 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-server-54f9645b87-k4rz8 | Value: Not Set (Defaults to root) - Message: Container argocd-server runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-server-54f9645b87-wwzgz | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-server-54f9645b87-wwzgz | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: argocd | Resource: pod/argocd-server-54f9645b87-wwzgz | Value: Not Set (Defaults to root) - Message: Container webserver-simple runs as root or has no runAsUser set | Namespace: cert-manager | Resource: pod/simple-deployment-74fd649f8d-7cht8 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: cert-manager | Resource: pod/simple-deployment-74fd649f8d-7cht8 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: cert-manager | Resource: pod/simple-deployment-74fd649f8d-7cht8 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: gatekeeper-system | Resource: pod/gatekeeper-audit-77858c8f69-7k782 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: gatekeeper-system | Resource: pod/gatekeeper-audit-77858c8f69-7k782 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: gatekeeper-system | Resource: pod/gatekeeper-controller-6f97954b4b-7tbnr | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: gatekeeper-system | Resource: pod/gatekeeper-controller-6f97954b4b-7tbnr | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: gatekeeper-system | Resource: pod/gatekeeper-controller-6f97954b4b-gwrgg | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: gatekeeper-system | Resource: pod/gatekeeper-controller-6f97954b4b-gwrgg | Value: Not Set (Defaults to root) - Message: Container webserver-simple runs as root or has no runAsUser set | Namespace: grafana | Resource: pod/simple-deployment-74fd649f8d-l7wrd | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: grafana | Resource: pod/simple-deployment-74fd649f8d-l7wrd | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: grafana | Resource: pod/simple-deployment-74fd649f8d-l7wrd | Value: Not Set (Defaults to root) - Message: Container kiali runs as root or has no runAsUser set | Namespace: kiali-operator | Resource: pod/kiali-5b88cfb6f8-cm8dz | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kiali-operator | Resource: pod/kiali-5b88cfb6f8-cm8dz | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kiali-operator | Resource: pod/kiali-5b88cfb6f8-cm8dz | Value: Not Set (Defaults to root) - Message: Container operator runs as root or has no runAsUser set | Namespace: kiali-operator | Resource: pod/kiali-operator-696bd54db-mr8md | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kiali-operator | Resource: pod/kiali-operator-696bd54db-mr8md | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kiali-operator | Resource: pod/kiali-operator-696bd54db-mr8md | Value: Not Set (Defaults to root) - Message: Container node-driver-registrar runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-2l2wl | Value: Not Set (Defaults to root) - Message: Container secrets-store runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-2l2wl | Value: Not Set (Defaults to root) - Message: Container liveness-probe runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-2l2wl | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-2l2wl | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-2l2wl | Value: Not Set (Defaults to root) - Message: Container node-driver-registrar runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-6w2vp | Value: Not Set (Defaults to root) - Message: Container secrets-store runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-6w2vp | Value: Not Set (Defaults to root) - Message: Container liveness-probe runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-6w2vp | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-6w2vp | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-6w2vp | Value: Not Set (Defaults to root) - Message: Container node-driver-registrar runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-7879c | Value: Not Set (Defaults to root) - Message: Container secrets-store runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-7879c | Value: Not Set (Defaults to root) - Message: Container liveness-probe runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-7879c | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-7879c | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-7879c | Value: Not Set (Defaults to root) - Message: Container node-driver-registrar runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-m8m29 | Value: Not Set (Defaults to root) - Message: Container secrets-store runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-m8m29 | Value: Not Set (Defaults to root) - Message: Container liveness-probe runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-m8m29 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-m8m29 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-m8m29 | Value: Not Set (Defaults to root) - Message: Container node-driver-registrar runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-vnmcd | Value: Not Set (Defaults to root) - Message: Container secrets-store runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-vnmcd | Value: Not Set (Defaults to root) - Message: Container liveness-probe runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-vnmcd | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-vnmcd | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-vnmcd | Value: Not Set (Defaults to root) - Message: Container node-driver-registrar runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-zrfbz | Value: Not Set (Defaults to root) - Message: Container secrets-store runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-zrfbz | Value: Not Set (Defaults to root) - Message: Container liveness-probe runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-zrfbz | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-zrfbz | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-zrfbz | Value: Not Set (Defaults to root) - Message: Container provider-azure-installer runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-68nhw | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-68nhw | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-68nhw | Value: Not Set (Defaults to root) - Message: Container provider-azure-installer runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-7bqmn | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-7bqmn | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-7bqmn | Value: Not Set (Defaults to root) - Message: Container provider-azure-installer runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-7r458 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-7r458 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-7r458 | Value: Not Set (Defaults to root) - Message: Container provider-azure-installer runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-k9tdc | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-k9tdc | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-k9tdc | Value: Not Set (Defaults to root) - Message: Container provider-azure-installer runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-n952g | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-n952g | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-n952g | Value: Not Set (Defaults to root) - Message: Container provider-azure-installer runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-njpqh | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-njpqh | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/aks-secrets-store-provider-azure-njpqh | Value: Not Set (Defaults to root) - Message: Container ama-logs runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-4v8mz | Value: Not Set (Defaults to root) - Message: Container ama-logs-prometheus runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-4v8mz | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-4v8mz | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-4v8mz | Value: Not Set (Defaults to root) - Message: Container ama-logs runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-5vr2w | Value: Not Set (Defaults to root) - Message: Container ama-logs-prometheus runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-5vr2w | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-5vr2w | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-5vr2w | Value: Not Set (Defaults to root) - Message: Container ama-logs runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-fmd7b | Value: Not Set (Defaults to root) - Message: Container ama-logs-prometheus runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-fmd7b | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-fmd7b | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-fmd7b | Value: Not Set (Defaults to root) - Message: Container ama-logs runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-fpkw6 | Value: Not Set (Defaults to root) - Message: Container ama-logs-prometheus runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-fpkw6 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-fpkw6 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-fpkw6 | Value: Not Set (Defaults to root) - Message: Container ama-logs runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-gqs28 | Value: Not Set (Defaults to root) - Message: Container ama-logs-prometheus runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-gqs28 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-gqs28 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-gqs28 | Value: Not Set (Defaults to root) - Message: Container ama-logs runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-ndxrw | Value: Not Set (Defaults to root) - Message: Container ama-logs-prometheus runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-ndxrw | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-ndxrw | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-ndxrw | Value: Not Set (Defaults to root) - Message: Container ama-logs runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-rs-64765bd4b9-ldxwl | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-rs-64765bd4b9-ldxwl | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-logs-rs-64765bd4b9-ldxwl | Value: Not Set (Defaults to root) - Message: Container prometheus-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-7f878d975f-hlggb | Value: Not Set (Defaults to root) - Message: Container addon-token-adapter runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-7f878d975f-hlggb | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-7f878d975f-hlggb | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-7f878d975f-hlggb | Value: Not Set (Defaults to root) - Message: Container prometheus-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-7f878d975f-q2mlg | Value: Not Set (Defaults to root) - Message: Container addon-token-adapter runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-7f878d975f-q2mlg | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-7f878d975f-q2mlg | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-7f878d975f-q2mlg | Value: Not Set (Defaults to root) - Message: Container prometheus-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-2ssrw | Value: Not Set (Defaults to root) - Message: Container addon-token-adapter runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-2ssrw | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-2ssrw | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-2ssrw | Value: Not Set (Defaults to root) - Message: Container prometheus-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-6kkz8 | Value: Not Set (Defaults to root) - Message: Container addon-token-adapter runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-6kkz8 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-6kkz8 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-6kkz8 | Value: Not Set (Defaults to root) - Message: Container prometheus-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-9h44h | Value: Not Set (Defaults to root) - Message: Container addon-token-adapter runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-9h44h | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-9h44h | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-9h44h | Value: Not Set (Defaults to root) - Message: Container prometheus-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-lhk42 | Value: Not Set (Defaults to root) - Message: Container addon-token-adapter runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-lhk42 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-lhk42 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-lhk42 | Value: Not Set (Defaults to root) - Message: Container prometheus-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-nm5bf | Value: Not Set (Defaults to root) - Message: Container addon-token-adapter runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-nm5bf | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-nm5bf | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-nm5bf | Value: Not Set (Defaults to root) - Message: Container prometheus-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-pqcz5 | Value: Not Set (Defaults to root) - Message: Container addon-token-adapter runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-pqcz5 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-pqcz5 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-node-pqcz5 | Value: Not Set (Defaults to root) - Message: Container targetallocator runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-operator-targets-66fb46c8d6-vskdg | Value: Not Set (Defaults to root) - Message: Container config-reader runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-operator-targets-66fb46c8d6-vskdg | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-operator-targets-66fb46c8d6-vskdg | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/ama-metrics-operator-targets-66fb46c8d6-vskdg | Value: Not Set (Defaults to root) - Message: Container azure-ip-masq-agent runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-4522j | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-4522j | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-4522j | Value: Not Set (Defaults to root) - Message: Container azure-ip-masq-agent runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-4c7cr | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-4c7cr | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-4c7cr | Value: Not Set (Defaults to root) - Message: Container azure-ip-masq-agent runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-78rnw | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-78rnw | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-78rnw | Value: Not Set (Defaults to root) - Message: Container azure-ip-masq-agent runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-84ltn | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-84ltn | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-84ltn | Value: Not Set (Defaults to root) - Message: Container azure-ip-masq-agent runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-t4c2w | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-t4c2w | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-t4c2w | Value: Not Set (Defaults to root) - Message: Container azure-ip-masq-agent runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-vbdd8 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-vbdd8 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-ip-masq-agent-vbdd8 | Value: Not Set (Defaults to root) - Message: Container azure-npm runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-npm-jsbbh | Value: Not Set (Defaults to root) - Message: Container block-wireserver runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-npm-jsbbh | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-npm-jsbbh | Value: Not Set (Defaults to root) - Message: Container azure-npm runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-npm-lp6sf | Value: Not Set (Defaults to root) - Message: Container block-wireserver runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-npm-lp6sf | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-npm-lp6sf | Value: Not Set (Defaults to root) - Message: Container azure-npm runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-npm-nv6xx | Value: Not Set (Defaults to root) - Message: Container block-wireserver runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-npm-nv6xx | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-npm-nv6xx | Value: Not Set (Defaults to root) - Message: Container azure-npm runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-npm-p6fpw | Value: Not Set (Defaults to root) - Message: Container block-wireserver runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-npm-p6fpw | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-npm-p6fpw | Value: Not Set (Defaults to root) - Message: Container azure-npm runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-npm-vsrfp | Value: Not Set (Defaults to root) - Message: Container block-wireserver runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-npm-vsrfp | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-npm-vsrfp | Value: Not Set (Defaults to root) - Message: Container azure-npm runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-npm-z8mcz | Value: Not Set (Defaults to root) - Message: Container block-wireserver runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-npm-z8mcz | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-npm-z8mcz | Value: Not Set (Defaults to root) - Message: Container azure-policy runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-policy-698f7c86b4-nnff2 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-policy-698f7c86b4-nnff2 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-policy-698f7c86b4-nnff2 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-policy-webhook-764fdf5cd5-6vrc5 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-policy-webhook-764fdf5cd5-6vrc5 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-wi-webhook-controller-manager-7f95f666d4-7r44b | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-wi-webhook-controller-manager-7f95f666d4-7r44b | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-wi-webhook-controller-manager-7f95f666d4-xfh2p | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/azure-wi-webhook-controller-manager-7f95f666d4-xfh2p | Value: Not Set (Defaults to root) - Message: Container cloud-node-manager runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/cloud-node-manager-57rk2 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/cloud-node-manager-57rk2 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/cloud-node-manager-57rk2 | Value: Not Set (Defaults to root) - Message: Container cloud-node-manager runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/cloud-node-manager-gl5xl | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/cloud-node-manager-gl5xl | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/cloud-node-manager-gl5xl | Value: Not Set (Defaults to root) - Message: Container cloud-node-manager runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/cloud-node-manager-l7v5j | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/cloud-node-manager-l7v5j | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/cloud-node-manager-l7v5j | Value: Not Set (Defaults to root) - Message: Container cloud-node-manager runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/cloud-node-manager-lr49d | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/cloud-node-manager-lr49d | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/cloud-node-manager-lr49d | Value: Not Set (Defaults to root) - Message: Container cloud-node-manager runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/cloud-node-manager-n5qdr | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/cloud-node-manager-n5qdr | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/cloud-node-manager-n5qdr | Value: Not Set (Defaults to root) - Message: Container cloud-node-manager runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/cloud-node-manager-xwrrd | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/cloud-node-manager-xwrrd | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/cloud-node-manager-xwrrd | Value: Not Set (Defaults to root) - Message: Container coredns runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/coredns-658d6d767d-757xp | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/coredns-658d6d767d-757xp | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/coredns-658d6d767d-757xp | Value: Not Set (Defaults to root) - Message: Container coredns runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/coredns-658d6d767d-pt6l6 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/coredns-658d6d767d-pt6l6 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/coredns-658d6d767d-pt6l6 | Value: Not Set (Defaults to root) - Message: Container autoscaler runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/coredns-autoscaler-5955d6bbdb-mz9kn | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/coredns-autoscaler-5955d6bbdb-mz9kn | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/coredns-autoscaler-5955d6bbdb-mz9kn | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/eraser-controller-manager-864f9476c8-lhdfc | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/eraser-controller-manager-864f9476c8-lhdfc | Value: Not Set (Defaults to root) - Message: Container extension-agent runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/extension-agent-66c4486d68-46cqq | Value: Not Set (Defaults to root) - Message: Container fluent-bit runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/extension-agent-66c4486d68-46cqq | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/extension-agent-66c4486d68-46cqq | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/extension-agent-66c4486d68-46cqq | Value: Not Set (Defaults to root) - Message: Container manager runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/extension-operator-d95fd449b-ssrcx | Value: Not Set (Defaults to root) - Message: Container fluent-bit runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/extension-operator-d95fd449b-ssrcx | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/extension-operator-d95fd449b-ssrcx | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/extension-operator-d95fd449b-ssrcx | Value: Not Set (Defaults to root) - Message: Container konnectivity-agent runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/konnectivity-agent-9f65c5cd8-fzm5q | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/konnectivity-agent-9f65c5cd8-fzm5q | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/konnectivity-agent-9f65c5cd8-fzm5q | Value: Not Set (Defaults to root) - Message: Container konnectivity-agent runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/konnectivity-agent-9f65c5cd8-t9qdj | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/konnectivity-agent-9f65c5cd8-t9qdj | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/konnectivity-agent-9f65c5cd8-t9qdj | Value: Not Set (Defaults to root) - Message: Container autoscaler runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/konnectivity-agent-autoscaler-cdfc7c46-vct7p | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/konnectivity-agent-autoscaler-cdfc7c46-vct7p | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/konnectivity-agent-autoscaler-cdfc7c46-vct7p | Value: Not Set (Defaults to root) - Message: Container kube-proxy runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/kube-proxy-26xkd | Value: Not Set (Defaults to root) - Message: Container kube-proxy-bootstrap runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/kube-proxy-26xkd | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/kube-proxy-26xkd | Value: Not Set (Defaults to root) - Message: Container kube-proxy runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/kube-proxy-6mrql | Value: Not Set (Defaults to root) - Message: Container kube-proxy-bootstrap runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/kube-proxy-6mrql | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/kube-proxy-6mrql | Value: Not Set (Defaults to root) - Message: Container kube-proxy runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/kube-proxy-9rbxf | Value: Not Set (Defaults to root) - Message: Container kube-proxy-bootstrap runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/kube-proxy-9rbxf | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/kube-proxy-9rbxf | Value: Not Set (Defaults to root) - Message: Container kube-proxy runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/kube-proxy-njzgk | Value: Not Set (Defaults to root) - Message: Container kube-proxy-bootstrap runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/kube-proxy-njzgk | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/kube-proxy-njzgk | Value: Not Set (Defaults to root) - Message: Container kube-proxy runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/kube-proxy-rvmxl | Value: Not Set (Defaults to root) - Message: Container kube-proxy-bootstrap runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/kube-proxy-rvmxl | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/kube-proxy-rvmxl | Value: Not Set (Defaults to root) - Message: Container kube-proxy runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/kube-proxy-vp7xj | Value: Not Set (Defaults to root) - Message: Container kube-proxy-bootstrap runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/kube-proxy-vp7xj | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/kube-proxy-vp7xj | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/metrics-server-5f9ccffcc4-jsrjl | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/metrics-server-5f9ccffcc4-jsrjl | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/metrics-server-5f9ccffcc4-v88pw | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/metrics-server-5f9ccffcc4-v88pw | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-pod-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-6xdfq | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-low-level-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-6xdfq | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-6xdfq | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-6xdfq | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-pod-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-89l74 | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-low-level-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-89l74 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-89l74 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-89l74 | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-pod-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-d7gwk | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-low-level-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-d7gwk | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-d7gwk | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-d7gwk | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-pod-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-mdcs8 | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-low-level-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-mdcs8 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-mdcs8 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-mdcs8 | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-pod-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-q6d6c | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-low-level-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-q6d6c | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-q6d6c | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-q6d6c | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-pod-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-wb5dm | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-low-level-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-wb5dm | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-wb5dm | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-ds-wb5dm | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-pod-collector runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-misc-7df6776447-bcbph | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-misc-7df6776447-bcbph | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-collector-misc-7df6776447-bcbph | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-publisher runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-publisher-ds-2ql5b | Value: Not Set (Defaults to root) - Message: Container old-file-cleaner runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-publisher-ds-2ql5b | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-publisher-ds-2ql5b | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-publisher runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-publisher-ds-2rsrw | Value: Not Set (Defaults to root) - Message: Container old-file-cleaner runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-publisher-ds-2rsrw | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-publisher-ds-2rsrw | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-publisher runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-publisher-ds-jj6dh | Value: Not Set (Defaults to root) - Message: Container old-file-cleaner runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-publisher-ds-jj6dh | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-publisher-ds-jj6dh | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-publisher runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-publisher-ds-l5crs | Value: Not Set (Defaults to root) - Message: Container old-file-cleaner runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-publisher-ds-l5crs | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-publisher-ds-l5crs | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-publisher runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-publisher-ds-lfk8h | Value: Not Set (Defaults to root) - Message: Container old-file-cleaner runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-publisher-ds-lfk8h | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-publisher-ds-lfk8h | Value: Not Set (Defaults to root) - Message: Container microsoft-defender-publisher runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-publisher-ds-vz2c6 | Value: Not Set (Defaults to root) - Message: Container old-file-cleaner runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-publisher-ds-vz2c6 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/microsoft-defender-publisher-ds-vz2c6 | Value: Not Set (Defaults to root) - Message: Container retina runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/retina-agent-cgv48 | Value: Not Set (Defaults to root) - Message: Container retina-agent-init runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/retina-agent-cgv48 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/retina-agent-cgv48 | Value: Not Set (Defaults to root) - Message: Container retina runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/retina-agent-gjxk8 | Value: Not Set (Defaults to root) - Message: Container retina-agent-init runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/retina-agent-gjxk8 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/retina-agent-gjxk8 | Value: Not Set (Defaults to root) - Message: Container retina runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/retina-agent-js76w | Value: Not Set (Defaults to root) - Message: Container retina-agent-init runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/retina-agent-js76w | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/retina-agent-js76w | Value: Not Set (Defaults to root) - Message: Container retina runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/retina-agent-lfn7d | Value: Not Set (Defaults to root) - Message: Container retina-agent-init runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/retina-agent-lfn7d | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/retina-agent-lfn7d | Value: Not Set (Defaults to root) - Message: Container retina runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/retina-agent-qc9bs | Value: Not Set (Defaults to root) - Message: Container retina-agent-init runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/retina-agent-qc9bs | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/retina-agent-qc9bs | Value: Not Set (Defaults to root) - Message: Container retina runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/retina-agent-wlt7b | Value: Not Set (Defaults to root) - Message: Container retina-agent-init runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/retina-agent-wlt7b | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kube-system | Resource: pod/retina-agent-wlt7b | Value: Not Set (Defaults to root) - Message: Container webserver-simple runs as root or has no runAsUser set | Namespace: kubeview | Resource: pod/simple-deployment-74fd649f8d-qxp2r | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kubeview | Resource: pod/simple-deployment-74fd649f8d-qxp2r | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: kubeview | Resource: pod/simple-deployment-74fd649f8d-qxp2r | Value: Not Set (Defaults to root) - Message: Container webserver-simple runs as root or has no runAsUser set | Namespace: linkerd | Resource: pod/simple-deployment-74fd649f8d-mkmst | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: linkerd | Resource: pod/simple-deployment-74fd649f8d-mkmst | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: linkerd | Resource: pod/simple-deployment-74fd649f8d-mkmst | Value: Not Set (Defaults to root) - Message: Container webserver-simple runs as root or has no runAsUser set | Namespace: nginx | Resource: pod/simple-deployment-74fd649f8d-hlcdk | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: nginx | Resource: pod/simple-deployment-74fd649f8d-hlcdk | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: nginx | Resource: pod/simple-deployment-74fd649f8d-hlcdk | Value: Not Set (Defaults to root) - Message: Container order-service runs as root or has no runAsUser set | Namespace: pets | Resource: pod/order-service-6c5bfb6946-b58xq | Value: Not Set (Defaults to root) - Message: Container wait-for-rabbitmq runs as root or has no runAsUser set | Namespace: pets | Resource: pod/order-service-6c5bfb6946-b58xq | Value: Not Set (Defaults to root) - Message: Container istio-init runs as root or has no runAsUser set | Namespace: pets | Resource: pod/order-service-6c5bfb6946-b58xq | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: pets | Resource: pod/order-service-6c5bfb6946-b58xq | Value: Not Set (Defaults to root) - Message: Container product-service runs as root or has no runAsUser set | Namespace: pets | Resource: pod/product-service-5dd87dfb8-ssfxc | Value: Not Set (Defaults to root) - Message: Container istio-init runs as root or has no runAsUser set | Namespace: pets | Resource: pod/product-service-5dd87dfb8-ssfxc | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: pets | Resource: pod/product-service-5dd87dfb8-ssfxc | Value: Not Set (Defaults to root) - Message: Container rabbitmq runs as root or has no runAsUser set | Namespace: pets | Resource: pod/rabbitmq-0 | Value: Not Set (Defaults to root) - Message: Container istio-init runs as root or has no runAsUser set | Namespace: pets | Resource: pod/rabbitmq-0 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: pets | Resource: pod/rabbitmq-0 | Value: Not Set (Defaults to root) - Message: Container store-front runs as root or has no runAsUser set | Namespace: pets | Resource: pod/store-front-658994fd95-pk9qn | Value: Not Set (Defaults to root) - Message: Container istio-init runs as root or has no runAsUser set | Namespace: pets | Resource: pod/store-front-658994fd95-pk9qn | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: pets | Resource: pod/store-front-658994fd95-pk9qn | Value: Not Set (Defaults to root) - Message: Container webserver-simple runs as root or has no runAsUser set | Namespace: prometheus | Resource: pod/simple-deployment-74fd649f8d-2x6w5 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: prometheus | Resource: pod/simple-deployment-74fd649f8d-2x6w5 | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: prometheus | Resource: pod/simple-deployment-74fd649f8d-2x6w5 | Value: Not Set (Defaults to root) - Message: Container webserver-simple runs as root or has no runAsUser set | Namespace: sealed-secrets | Resource: pod/simple-deployment-74fd649f8d-stktp | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: sealed-secrets | Resource: pod/simple-deployment-74fd649f8d-stktp | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: sealed-secrets | Resource: pod/simple-deployment-74fd649f8d-stktp | Value: Not Set (Defaults to root) - Message: Container webserver-simple runs as root or has no runAsUser set | Namespace: test | Resource: pod/simple-deployment-74fd649f8d-lhlkx | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: test | Resource: pod/simple-deployment-74fd649f8d-lhlkx | Value: Not Set (Defaults to root) - Message: Container runs as root or has no runAsUser set | Namespace: test | Resource: pod/simple-deployment-74fd649f8d-lhlkx | Value: Not Set (Defaults to root) [SEC004 - Privileged Containers] Section: Security Category: Pod Security Severity: High Recommendation: Avoid using privileged containers unless absolutely necessary, as they grant broad access to host resources. URL: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted ⚠️ Total Issues: 37 - Message: Container 'secrets-store' is running in privileged mode | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-2l2wl | Value: privileged=true - Message: Container 'secrets-store' is running in privileged mode | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-6w2vp | Value: privileged=true - Message: Container 'secrets-store' is running in privileged mode | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-7879c | Value: privileged=true - Message: Container 'secrets-store' is running in privileged mode | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-m8m29 | Value: privileged=true - Message: Container 'secrets-store' is running in privileged mode | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-vnmcd | Value: privileged=true - Message: Container 'secrets-store' is running in privileged mode | Namespace: kube-system | Resource: pod/aks-secrets-store-csi-driver-zrfbz | Value: privileged=true - Message: Container 'ama-logs' is running in privileged mode | Namespace: kube-system | Resource: pod/ama-logs-4v8mz | Value: privileged=true - Message: Container 'ama-logs-prometheus' is running in privileged mode | Namespace: kube-system | Resource: pod/ama-logs-4v8mz | Value: privileged=true - Message: Container 'ama-logs' is running in privileged mode | Namespace: kube-system | Resource: pod/ama-logs-5vr2w | Value: privileged=true - Message: Container 'ama-logs-prometheus' is running in privileged mode | Namespace: kube-system | Resource: pod/ama-logs-5vr2w | Value: privileged=true - Message: Container 'ama-logs' is running in privileged mode | Namespace: kube-system | Resource: pod/ama-logs-fmd7b | Value: privileged=true - Message: Container 'ama-logs-prometheus' is running in privileged mode | Namespace: kube-system | Resource: pod/ama-logs-fmd7b | Value: privileged=true - Message: Container 'ama-logs' is running in privileged mode | Namespace: kube-system | Resource: pod/ama-logs-fpkw6 | Value: privileged=true - Message: Container 'ama-logs-prometheus' is running in privileged mode | Namespace: kube-system | Resource: pod/ama-logs-fpkw6 | Value: privileged=true - Message: Container 'ama-logs' is running in privileged mode | Namespace: kube-system | Resource: pod/ama-logs-gqs28 | Value: privileged=true - Message: Container 'ama-logs-prometheus' is running in privileged mode | Namespace: kube-system | Resource: pod/ama-logs-gqs28 | Value: privileged=true - Message: Container 'ama-logs' is running in privileged mode | Namespace: kube-system | Resource: pod/ama-logs-ndxrw | Value: privileged=true - Message: Container 'ama-logs-prometheus' is running in privileged mode | Namespace: kube-system | Resource: pod/ama-logs-ndxrw | Value: privileged=true - Message: Container 'ama-logs' is running in privileged mode | Namespace: kube-system | Resource: pod/ama-logs-rs-64765bd4b9-ldxwl | Value: privileged=true - Message: Container 'kube-proxy' is running in privileged mode | Namespace: kube-system | Resource: pod/kube-proxy-26xkd | Value: privileged=true - Message: Container 'kube-proxy-bootstrap' is running in privileged mode | Namespace: kube-system | Resource: pod/kube-proxy-26xkd | Value: privileged=true - Message: Container 'kube-proxy' is running in privileged mode | Namespace: kube-system | Resource: pod/kube-proxy-6mrql | Value: privileged=true - Message: Container 'kube-proxy-bootstrap' is running in privileged mode | Namespace: kube-system | Resource: pod/kube-proxy-6mrql | Value: privileged=true - Message: Container 'kube-proxy' is running in privileged mode | Namespace: kube-system | Resource: pod/kube-proxy-9rbxf | Value: privileged=true - Message: Container 'kube-proxy-bootstrap' is running in privileged mode | Namespace: kube-system | Resource: pod/kube-proxy-9rbxf | Value: privileged=true - Message: Container 'kube-proxy' is running in privileged mode | Namespace: kube-system | Resource: pod/kube-proxy-njzgk | Value: privileged=true - Message: Container 'kube-proxy-bootstrap' is running in privileged mode | Namespace: kube-system | Resource: pod/kube-proxy-njzgk | Value: privileged=true - Message: Container 'kube-proxy' is running in privileged mode | Namespace: kube-system | Resource: pod/kube-proxy-rvmxl | Value: privileged=true - Message: Container 'kube-proxy-bootstrap' is running in privileged mode | Namespace: kube-system | Resource: pod/kube-proxy-rvmxl | Value: privileged=true - Message: Container 'kube-proxy' is running in privileged mode | Namespace: kube-system | Resource: pod/kube-proxy-vp7xj | Value: privileged=true - Message: Container 'kube-proxy-bootstrap' is running in privileged mode | Namespace: kube-system | Resource: pod/kube-proxy-vp7xj | Value: privileged=true - Message: Container 'retina-agent-init' is running in privileged mode | Namespace: kube-system | Resource: pod/retina-agent-cgv48 | Value: privileged=true - Message: Container 'retina-agent-init' is running in privileged mode | Namespace: kube-system | Resource: pod/retina-agent-gjxk8 | Value: privileged=true - Message: Container 'retina-agent-init' is running in privileged mode | Namespace: kube-system | Resource: pod/retina-agent-js76w | Value: privileged=true - Message: Container 'retina-agent-init' is running in privileged mode | Namespace: kube-system | Resource: pod/retina-agent-lfn7d | Value: privileged=true - Message: Container 'retina-agent-init' is running in privileged mode | Namespace: kube-system | Resource: pod/retina-agent-qc9bs | Value: privileged=true - Message: Container 'retina-agent-init' is running in privileged mode | Namespace: kube-system | Resource: pod/retina-agent-wlt7b | Value: privileged=true [SEC005 - Pods Using hostIPC] Section: Security Category: Pod Security Severity: High Recommendation: Avoid using hostIPC in pods unless absolutely required for specific functionality. URL: https://kubernetes.io/docs/concepts/security/pod-security-standards/#host-namespaces ✅ No issues detected for Pods Using hostIPC. [SEC006 - Pods Missing Secure Defaults] Section: Security Category: Pod Security Severity: Medium Recommendation: Set runAsNonRoot=true, readOnlyRootFilesystem=true, and allowPrivilegeEscalation=false for all pods and containers. URL: https://kubernetes.io/docs/concepts/security/pod-security-standards/ ⚠️ Total Issues: 155 - Container: controller | Flags: runAsNonRoot: True, readOnlyRootFilesystem: , allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: app-routing-system | Pod: nginx-69fcb489fd-4wgk9 - Container: controller | Flags: runAsNonRoot: True, readOnlyRootFilesystem: , allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: app-routing-system | Pod: nginx-69fcb489fd-64v6k - Container: webserver-simple | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: argo-rollouts | Pod: simple-deployment-74fd649f8d-996vt - Container: webserver-simple | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: argo-workflows | Pod: simple-deployment-74fd649f8d-24t56 - Container: argocd-notifications-controller | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: argocd | Pod: argocd-notifications-controller-6ff6bf8dd6-nbktr - Container: haproxy | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: argocd | Pod: argocd-redis-ha-haproxy-fb657456c-kjbkq - Container: haproxy | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: argocd | Pod: argocd-redis-ha-haproxy-fb657456c-kjlpf - Container: haproxy | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: argocd | Pod: argocd-redis-ha-haproxy-fb657456c-tnjmb - Container: redis | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: argocd | Pod: argocd-redis-ha-server-0 - Container: sentinel | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: argocd | Pod: argocd-redis-ha-server-0 - Container: split-brain-fix | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: argocd | Pod: argocd-redis-ha-server-0 - Container: redis | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: argocd | Pod: argocd-redis-ha-server-1 - Container: sentinel | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: argocd | Pod: argocd-redis-ha-server-1 - Container: split-brain-fix | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: argocd | Pod: argocd-redis-ha-server-1 - Container: redis | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: argocd | Pod: argocd-redis-ha-server-2 - Container: sentinel | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: argocd | Pod: argocd-redis-ha-server-2 - Container: split-brain-fix | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: argocd | Pod: argocd-redis-ha-server-2 - Container: webserver-simple | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: cert-manager | Pod: simple-deployment-74fd649f8d-7cht8 - Container: webserver-simple | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: grafana | Pod: simple-deployment-74fd649f8d-l7wrd - Container: node-driver-registrar | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-2l2wl - Container: secrets-store | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-2l2wl - Container: liveness-probe | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-2l2wl - Container: node-driver-registrar | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-6w2vp - Container: secrets-store | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-6w2vp - Container: liveness-probe | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-6w2vp - Container: node-driver-registrar | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-7879c - Container: secrets-store | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-7879c - Container: liveness-probe | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-7879c - Container: node-driver-registrar | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-m8m29 - Container: secrets-store | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-m8m29 - Container: liveness-probe | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-m8m29 - Container: node-driver-registrar | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-vnmcd - Container: secrets-store | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-vnmcd - Container: liveness-probe | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-vnmcd - Container: node-driver-registrar | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-zrfbz - Container: secrets-store | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-zrfbz - Container: liveness-probe | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-zrfbz - Container: provider-azure-installer | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: aks-secrets-store-provider-azure-68nhw - Container: provider-azure-installer | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: aks-secrets-store-provider-azure-7bqmn - Container: provider-azure-installer | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: aks-secrets-store-provider-azure-7r458 - Container: provider-azure-installer | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: aks-secrets-store-provider-azure-k9tdc - Container: provider-azure-installer | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: aks-secrets-store-provider-azure-n952g - Container: provider-azure-installer | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: aks-secrets-store-provider-azure-njpqh - Container: ama-logs | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-logs-4v8mz - Container: ama-logs-prometheus | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-logs-4v8mz - Container: ama-logs | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-logs-5vr2w - Container: ama-logs-prometheus | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-logs-5vr2w - Container: ama-logs | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-logs-fmd7b - Container: ama-logs-prometheus | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-logs-fmd7b - Container: ama-logs | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-logs-fpkw6 - Container: ama-logs-prometheus | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-logs-fpkw6 - Container: ama-logs | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-logs-gqs28 - Container: ama-logs-prometheus | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-logs-gqs28 - Container: ama-logs | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-logs-ndxrw - Container: ama-logs-prometheus | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-logs-ndxrw - Container: ama-logs | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-logs-rs-64765bd4b9-ldxwl - Container: prometheus-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-7f878d975f-hlggb - Container: addon-token-adapter | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-7f878d975f-hlggb - Container: prometheus-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-7f878d975f-q2mlg - Container: addon-token-adapter | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-7f878d975f-q2mlg - Container: ama-metrics-ksm | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-ksm-5bd68b9c-8l9lp - Container: prometheus-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-node-2ssrw - Container: addon-token-adapter | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-node-2ssrw - Container: prometheus-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-node-6kkz8 - Container: addon-token-adapter | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-node-6kkz8 - Container: prometheus-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-node-9h44h - Container: addon-token-adapter | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-node-9h44h - Container: prometheus-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-node-lhk42 - Container: addon-token-adapter | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-node-lhk42 - Container: prometheus-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-node-nm5bf - Container: addon-token-adapter | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-node-nm5bf - Container: prometheus-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-node-pqcz5 - Container: addon-token-adapter | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-node-pqcz5 - Container: targetallocator | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-operator-targets-66fb46c8d6-vskdg - Container: config-reader | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: ama-metrics-operator-targets-66fb46c8d6-vskdg - Container: azure-ip-masq-agent | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: azure-ip-masq-agent-4522j - Container: azure-ip-masq-agent | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: azure-ip-masq-agent-4c7cr - Container: azure-ip-masq-agent | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: azure-ip-masq-agent-78rnw - Container: azure-ip-masq-agent | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: azure-ip-masq-agent-84ltn - Container: azure-ip-masq-agent | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: azure-ip-masq-agent-t4c2w - Container: azure-ip-masq-agent | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: azure-ip-masq-agent-vbdd8 - Container: azure-npm | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: azure-npm-jsbbh - Container: azure-npm | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: azure-npm-lp6sf - Container: azure-npm | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: azure-npm-nv6xx - Container: azure-npm | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: azure-npm-p6fpw - Container: azure-npm | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: azure-npm-vsrfp - Container: azure-npm | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: azure-npm-z8mcz - Container: azure-policy | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: azure-policy-698f7c86b4-nnff2 - Container: cloud-node-manager | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: cloud-node-manager-57rk2 - Container: cloud-node-manager | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: cloud-node-manager-gl5xl - Container: cloud-node-manager | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: cloud-node-manager-l7v5j - Container: cloud-node-manager | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: cloud-node-manager-lr49d - Container: cloud-node-manager | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: cloud-node-manager-n5qdr - Container: cloud-node-manager | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: cloud-node-manager-xwrrd - Container: coredns | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: coredns-658d6d767d-757xp - Container: coredns | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: coredns-658d6d767d-pt6l6 - Container: autoscaler | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: coredns-autoscaler-5955d6bbdb-mz9kn - Container: extension-agent | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: kube-system | Pod: extension-agent-66c4486d68-46cqq - Container: fluent-bit | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: kube-system | Pod: extension-agent-66c4486d68-46cqq - Container: manager | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: kube-system | Pod: extension-operator-d95fd449b-ssrcx - Container: fluent-bit | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: kube-system | Pod: extension-operator-d95fd449b-ssrcx - Container: keda-admission-webhooks | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: keda-admission-webhooks-787f866c7c-4b64k - Container: keda-admission-webhooks | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: keda-admission-webhooks-787f866c7c-dw2sg - Container: keda-operator | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: keda-operator-6b85944bfb-4zpbp - Container: keda-operator | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: keda-operator-6b85944bfb-sx9sj - Container: keda-operator-metrics-apiserver | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: keda-operator-metrics-apiserver-8468875db7-86c5h - Container: keda-operator-metrics-apiserver | Flags: runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: keda-operator-metrics-apiserver-8468875db7-ngp4h - Container: konnectivity-agent | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: konnectivity-agent-9f65c5cd8-fzm5q - Container: konnectivity-agent | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: konnectivity-agent-9f65c5cd8-t9qdj - Container: autoscaler | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: konnectivity-agent-autoscaler-cdfc7c46-vct7p - Container: kube-proxy | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: kube-proxy-26xkd - Container: kube-proxy | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: kube-proxy-6mrql - Container: kube-proxy | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: kube-proxy-9rbxf - Container: kube-proxy | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: kube-proxy-njzgk - Container: kube-proxy | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: kube-proxy-rvmxl - Container: kube-proxy | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: kube-proxy-vp7xj - Container: microsoft-defender-pod-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-collector-ds-6xdfq - Container: microsoft-defender-low-level-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-collector-ds-6xdfq - Container: microsoft-defender-pod-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-collector-ds-89l74 - Container: microsoft-defender-low-level-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-collector-ds-89l74 - Container: microsoft-defender-pod-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-collector-ds-d7gwk - Container: microsoft-defender-low-level-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-collector-ds-d7gwk - Container: microsoft-defender-pod-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-collector-ds-mdcs8 - Container: microsoft-defender-low-level-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-collector-ds-mdcs8 - Container: microsoft-defender-pod-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-collector-ds-q6d6c - Container: microsoft-defender-low-level-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-collector-ds-q6d6c - Container: microsoft-defender-pod-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-collector-ds-wb5dm - Container: microsoft-defender-low-level-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-collector-ds-wb5dm - Container: microsoft-defender-pod-collector | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-collector-misc-7df6776447-bcbph - Container: microsoft-defender-publisher | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-2ql5b - Container: microsoft-defender-publisher | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-2rsrw - Container: microsoft-defender-publisher | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-jj6dh - Container: microsoft-defender-publisher | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-l5crs - Container: microsoft-defender-publisher | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-lfk8h - Container: microsoft-defender-publisher | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-vz2c6 - Container: retina | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: retina-agent-cgv48 - Container: retina | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: retina-agent-gjxk8 - Container: retina | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: retina-agent-js76w - Container: retina | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: retina-agent-lfn7d - Container: retina | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: retina-agent-qc9bs - Container: retina | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: retina-agent-wlt7b - Container: admission-controller | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: vpa-admission-controller-7d9f8d57bd-lrcch - Container: admission-controller | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: vpa-admission-controller-7d9f8d57bd-tnqvx - Container: recommender | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: vpa-recommender-74bfff7f75-sspdc - Container: updater | Flags: runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation: | Issue: Missing one or more secure defaults | Namespace: kube-system | Pod: vpa-updater-5d6d49f8b6-pxkz8 - Container: webserver-simple | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: kubeview | Pod: simple-deployment-74fd649f8d-qxp2r - Container: webserver-simple | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: linkerd | Pod: simple-deployment-74fd649f8d-mkmst - Container: webserver-simple | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: nginx | Pod: simple-deployment-74fd649f8d-hlcdk - Container: order-service | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: pets | Pod: order-service-6c5bfb6946-b58xq - Container: product-service | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: pets | Pod: product-service-5dd87dfb8-ssfxc - Container: rabbitmq | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: pets | Pod: rabbitmq-0 - Container: store-front | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: pets | Pod: store-front-658994fd95-pk9qn - Container: webserver-simple | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: prometheus | Pod: simple-deployment-74fd649f8d-2x6w5 - Container: webserver-simple | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: sealed-secrets | Pod: simple-deployment-74fd649f8d-stktp - Container: webserver-simple | Flags: Missing securityContext | Issue: No securityContext defined | Namespace: test | Pod: simple-deployment-74fd649f8d-lhlkx [SEC007 - Missing Pod Security Admission Labels] Section: Security Category: Pod Security Severity: Low Recommendation: Add 'pod-security.kubernetes.io/enforce' labels to your namespaces to enforce Pod Security standards. Use values like 'baseline' or 'restricted'. URL: https://kubernetes.io/docs/concepts/security/pod-security-admission/ ⚠️ Total Issues: 32 - Audit: N/A | Issue: No pod security labels | Namespace: 1 | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: 10 | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: 2 | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: 3 | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: 4 | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: 5 | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: 6 | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: 7 | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: 8 | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: 9 | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: aks-istio-egress | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: aks-istio-ingress | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: aks-istio-system | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: app-routing-system | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: argo-rollouts | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: argo-workflows | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: argocd | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: cert-manager | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: default | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: gatekeeper-system | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: grafana | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: kiali-operator | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: kube-node-lease | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: kube-public | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: kube-system | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: kubeview | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: linkerd | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: nginx | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: pets | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: prometheus | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: sealed-secrets | Warn: N/A - Audit: N/A | Issue: No pod security labels | Namespace: test | Warn: N/A [SEC008 - Secrets in Environment Variables] Section: Security Category: Pod Security Severity: High Recommendation: Avoid exposing secrets in environment variables. Mount secrets as volumes instead. URL: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables ⚠️ Total Issues: 20 - EnvVar: env: REDIS_PASSWORD | Issue: Secret argocd-redis exposed via env var in container argocd-application-controller | Namespace: argocd | Pod: pod/argocd-application-controller-0 - EnvVar: env: AUTH | Issue: Secret argocd-redis exposed via env var in container haproxy | Namespace: argocd | Pod: pod/argocd-redis-ha-haproxy-fb657456c-kjbkq - EnvVar: env: AUTH | Issue: Secret argocd-redis exposed via env var in container haproxy | Namespace: argocd | Pod: pod/argocd-redis-ha-haproxy-fb657456c-kjlpf - EnvVar: env: AUTH | Issue: Secret argocd-redis exposed via env var in container haproxy | Namespace: argocd | Pod: pod/argocd-redis-ha-haproxy-fb657456c-tnjmb - EnvVar: env: AUTH | Issue: Secret argocd-redis exposed via env var in container redis | Namespace: argocd | Pod: pod/argocd-redis-ha-server-0 - EnvVar: env: AUTH | Issue: Secret argocd-redis exposed via env var in container sentinel | Namespace: argocd | Pod: pod/argocd-redis-ha-server-0 - EnvVar: env: AUTH | Issue: Secret argocd-redis exposed via env var in container split-brain-fix | Namespace: argocd | Pod: pod/argocd-redis-ha-server-0 - EnvVar: env: AUTH | Issue: Secret argocd-redis exposed via env var in container config-init | Namespace: argocd | Pod: pod/argocd-redis-ha-server-0 - EnvVar: env: AUTH | Issue: Secret argocd-redis exposed via env var in container redis | Namespace: argocd | Pod: pod/argocd-redis-ha-server-1 - EnvVar: env: AUTH | Issue: Secret argocd-redis exposed via env var in container sentinel | Namespace: argocd | Pod: pod/argocd-redis-ha-server-1 - EnvVar: env: AUTH | Issue: Secret argocd-redis exposed via env var in container split-brain-fix | Namespace: argocd | Pod: pod/argocd-redis-ha-server-1 - EnvVar: env: AUTH | Issue: Secret argocd-redis exposed via env var in container config-init | Namespace: argocd | Pod: pod/argocd-redis-ha-server-1 - EnvVar: env: AUTH | Issue: Secret argocd-redis exposed via env var in container redis | Namespace: argocd | Pod: pod/argocd-redis-ha-server-2 - EnvVar: env: AUTH | Issue: Secret argocd-redis exposed via env var in container sentinel | Namespace: argocd | Pod: pod/argocd-redis-ha-server-2 - EnvVar: env: AUTH | Issue: Secret argocd-redis exposed via env var in container split-brain-fix | Namespace: argocd | Pod: pod/argocd-redis-ha-server-2 - EnvVar: env: AUTH | Issue: Secret argocd-redis exposed via env var in container config-init | Namespace: argocd | Pod: pod/argocd-redis-ha-server-2 - EnvVar: env: REDIS_PASSWORD | Issue: Secret argocd-redis exposed via env var in container argocd-repo-server | Namespace: argocd | Pod: pod/argocd-repo-server-8568fc89b5-sx6ks - EnvVar: env: REDIS_PASSWORD | Issue: Secret argocd-redis exposed via env var in container argocd-repo-server | Namespace: argocd | Pod: pod/argocd-repo-server-8568fc89b5-xrzzn - EnvVar: env: REDIS_PASSWORD | Issue: Secret argocd-redis exposed via env var in container argocd-server | Namespace: argocd | Pod: pod/argocd-server-54f9645b87-k4rz8 - EnvVar: env: REDIS_PASSWORD | Issue: Secret argocd-redis exposed via env var in container argocd-server | Namespace: argocd | Pod: pod/argocd-server-54f9645b87-wwzgz [SEC009 - Missing Capabilities Drop] Section: Security Category: Pod Security Severity: Medium Recommendation: Explicitly drop all Linux capabilities unless specific ones are needed. URL: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted ⚠️ Total Issues: 42 - Container: webserver-simple | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: argo-rollouts | Pod: simple-deployment-74fd649f8d-996vt - Container: webserver-simple | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: argo-workflows | Pod: simple-deployment-74fd649f8d-24t56 - Container: webserver-simple | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: cert-manager | Pod: simple-deployment-74fd649f8d-7cht8 - Container: webserver-simple | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: grafana | Pod: simple-deployment-74fd649f8d-l7wrd - Container: node-driver-registrar | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-2l2wl - Container: secrets-store | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-2l2wl - Container: liveness-probe | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-2l2wl - Container: node-driver-registrar | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-6w2vp - Container: secrets-store | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-6w2vp - Container: liveness-probe | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-6w2vp - Container: node-driver-registrar | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-7879c - Container: secrets-store | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-7879c - Container: liveness-probe | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-7879c - Container: node-driver-registrar | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-m8m29 - Container: secrets-store | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-m8m29 - Container: liveness-probe | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-m8m29 - Container: node-driver-registrar | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-vnmcd - Container: secrets-store | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-vnmcd - Container: liveness-probe | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-vnmcd - Container: node-driver-registrar | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-zrfbz - Container: secrets-store | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-zrfbz - Container: liveness-probe | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-zrfbz - Container: extension-agent | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: extension-agent-66c4486d68-46cqq - Container: fluent-bit | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: extension-agent-66c4486d68-46cqq - Container: manager | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: extension-operator-d95fd449b-ssrcx - Container: fluent-bit | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: extension-operator-d95fd449b-ssrcx - Container: kube-proxy | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: kube-proxy-26xkd - Container: kube-proxy | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: kube-proxy-6mrql - Container: kube-proxy | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: kube-proxy-9rbxf - Container: kube-proxy | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: kube-proxy-njzgk - Container: kube-proxy | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: kube-proxy-rvmxl - Container: kube-proxy | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kube-system | Pod: kube-proxy-vp7xj - Container: webserver-simple | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: kubeview | Pod: simple-deployment-74fd649f8d-qxp2r - Container: webserver-simple | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: linkerd | Pod: simple-deployment-74fd649f8d-mkmst - Container: webserver-simple | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: nginx | Pod: simple-deployment-74fd649f8d-hlcdk - Container: order-service | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: pets | Pod: order-service-6c5bfb6946-b58xq - Container: product-service | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: pets | Pod: product-service-5dd87dfb8-ssfxc - Container: rabbitmq | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: pets | Pod: rabbitmq-0 - Container: store-front | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: pets | Pod: store-front-658994fd95-pk9qn - Container: webserver-simple | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: prometheus | Pod: simple-deployment-74fd649f8d-2x6w5 - Container: webserver-simple | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: sealed-secrets | Pod: simple-deployment-74fd649f8d-stktp - Container: webserver-simple | DroppedCapabilities: | Issue: Does not drop ALL capabilities | Namespace: test | Pod: simple-deployment-74fd649f8d-lhlkx [SEC010 - HostPath Volume Usage] Section: Security Category: Pod Security Severity: High Recommendation: Avoid using hostPath unless absolutely necessary. Use persistent volumes instead. URL: https://kubernetes.io/docs/concepts/storage/volumes/#hostpath ⚠️ Total Issues: 309 - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/kubelet/pods | Pod: aks-secrets-store-csi-driver-2l2wl | Volume: mountpoint-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/kubelet/plugins_registry/ | Pod: aks-secrets-store-csi-driver-2l2wl | Volume: registration-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/kubelet/plugins/csi-secrets-store/ | Pod: aks-secrets-store-csi-driver-2l2wl | Volume: plugin-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/secrets-store-csi-providers | Pod: aks-secrets-store-csi-driver-2l2wl | Volume: providers-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes/secrets-store-csi-providers | Pod: aks-secrets-store-csi-driver-2l2wl | Volume: providers-dir-0 - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/kubelet/pods | Pod: aks-secrets-store-csi-driver-6w2vp | Volume: mountpoint-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/kubelet/plugins_registry/ | Pod: aks-secrets-store-csi-driver-6w2vp | Volume: registration-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/kubelet/plugins/csi-secrets-store/ | Pod: aks-secrets-store-csi-driver-6w2vp | Volume: plugin-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/secrets-store-csi-providers | Pod: aks-secrets-store-csi-driver-6w2vp | Volume: providers-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes/secrets-store-csi-providers | Pod: aks-secrets-store-csi-driver-6w2vp | Volume: providers-dir-0 - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/kubelet/pods | Pod: aks-secrets-store-csi-driver-7879c | Volume: mountpoint-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/kubelet/plugins_registry/ | Pod: aks-secrets-store-csi-driver-7879c | Volume: registration-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/kubelet/plugins/csi-secrets-store/ | Pod: aks-secrets-store-csi-driver-7879c | Volume: plugin-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/secrets-store-csi-providers | Pod: aks-secrets-store-csi-driver-7879c | Volume: providers-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes/secrets-store-csi-providers | Pod: aks-secrets-store-csi-driver-7879c | Volume: providers-dir-0 - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/kubelet/pods | Pod: aks-secrets-store-csi-driver-m8m29 | Volume: mountpoint-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/kubelet/plugins_registry/ | Pod: aks-secrets-store-csi-driver-m8m29 | Volume: registration-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/kubelet/plugins/csi-secrets-store/ | Pod: aks-secrets-store-csi-driver-m8m29 | Volume: plugin-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/secrets-store-csi-providers | Pod: aks-secrets-store-csi-driver-m8m29 | Volume: providers-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes/secrets-store-csi-providers | Pod: aks-secrets-store-csi-driver-m8m29 | Volume: providers-dir-0 - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/kubelet/pods | Pod: aks-secrets-store-csi-driver-vnmcd | Volume: mountpoint-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/kubelet/plugins_registry/ | Pod: aks-secrets-store-csi-driver-vnmcd | Volume: registration-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/kubelet/plugins/csi-secrets-store/ | Pod: aks-secrets-store-csi-driver-vnmcd | Volume: plugin-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/secrets-store-csi-providers | Pod: aks-secrets-store-csi-driver-vnmcd | Volume: providers-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes/secrets-store-csi-providers | Pod: aks-secrets-store-csi-driver-vnmcd | Volume: providers-dir-0 - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/kubelet/pods | Pod: aks-secrets-store-csi-driver-zrfbz | Volume: mountpoint-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/kubelet/plugins_registry/ | Pod: aks-secrets-store-csi-driver-zrfbz | Volume: registration-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/kubelet/plugins/csi-secrets-store/ | Pod: aks-secrets-store-csi-driver-zrfbz | Volume: plugin-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/secrets-store-csi-providers | Pod: aks-secrets-store-csi-driver-zrfbz | Volume: providers-dir - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes/secrets-store-csi-providers | Pod: aks-secrets-store-csi-driver-zrfbz | Volume: providers-dir-0 - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/secrets-store-csi-providers | Pod: aks-secrets-store-provider-azure-68nhw | Volume: provider-vol - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/secrets-store-csi-providers | Pod: aks-secrets-store-provider-azure-7bqmn | Volume: provider-vol - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/secrets-store-csi-providers | Pod: aks-secrets-store-provider-azure-7r458 | Volume: provider-vol - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/secrets-store-csi-providers | Pod: aks-secrets-store-provider-azure-k9tdc | Volume: provider-vol - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/secrets-store-csi-providers | Pod: aks-secrets-store-provider-azure-n952g | Volume: provider-vol - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/secrets-store-csi-providers | Pod: aks-secrets-store-provider-azure-njpqh | Volume: provider-vol - Issue: hostPath volume used | Namespace: kube-system | Path: / | Pod: ama-logs-4v8mz | Volume: host-root - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/hostname | Pod: ama-logs-4v8mz | Volume: container-hostname - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: ama-logs-4v8mz | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/mdsd-ci | Pod: ama-logs-4v8mz | Volume: mdsd-sock - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/docker/containers | Pod: ama-logs-4v8mz | Volume: containerlog-path - Issue: hostPath volume used | Namespace: kube-system | Path: /mnt/docker | Pod: ama-logs-4v8mz | Volume: containerlog-path-2 - Issue: hostPath volume used | Namespace: kube-system | Path: /mnt/containers | Pod: ama-logs-4v8mz | Volume: containerlog-path-3 - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes | Pod: ama-logs-4v8mz | Volume: azure-json-path - Issue: hostPath volume used | Namespace: kube-system | Path: / | Pod: ama-logs-5vr2w | Volume: host-root - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/hostname | Pod: ama-logs-5vr2w | Volume: container-hostname - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: ama-logs-5vr2w | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/mdsd-ci | Pod: ama-logs-5vr2w | Volume: mdsd-sock - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/docker/containers | Pod: ama-logs-5vr2w | Volume: containerlog-path - Issue: hostPath volume used | Namespace: kube-system | Path: /mnt/docker | Pod: ama-logs-5vr2w | Volume: containerlog-path-2 - Issue: hostPath volume used | Namespace: kube-system | Path: /mnt/containers | Pod: ama-logs-5vr2w | Volume: containerlog-path-3 - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes | Pod: ama-logs-5vr2w | Volume: azure-json-path - Issue: hostPath volume used | Namespace: kube-system | Path: / | Pod: ama-logs-fmd7b | Volume: host-root - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/hostname | Pod: ama-logs-fmd7b | Volume: container-hostname - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: ama-logs-fmd7b | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/mdsd-ci | Pod: ama-logs-fmd7b | Volume: mdsd-sock - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/docker/containers | Pod: ama-logs-fmd7b | Volume: containerlog-path - Issue: hostPath volume used | Namespace: kube-system | Path: /mnt/docker | Pod: ama-logs-fmd7b | Volume: containerlog-path-2 - Issue: hostPath volume used | Namespace: kube-system | Path: /mnt/containers | Pod: ama-logs-fmd7b | Volume: containerlog-path-3 - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes | Pod: ama-logs-fmd7b | Volume: azure-json-path - Issue: hostPath volume used | Namespace: kube-system | Path: / | Pod: ama-logs-fpkw6 | Volume: host-root - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/hostname | Pod: ama-logs-fpkw6 | Volume: container-hostname - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: ama-logs-fpkw6 | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/mdsd-ci | Pod: ama-logs-fpkw6 | Volume: mdsd-sock - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/docker/containers | Pod: ama-logs-fpkw6 | Volume: containerlog-path - Issue: hostPath volume used | Namespace: kube-system | Path: /mnt/docker | Pod: ama-logs-fpkw6 | Volume: containerlog-path-2 - Issue: hostPath volume used | Namespace: kube-system | Path: /mnt/containers | Pod: ama-logs-fpkw6 | Volume: containerlog-path-3 - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes | Pod: ama-logs-fpkw6 | Volume: azure-json-path - Issue: hostPath volume used | Namespace: kube-system | Path: / | Pod: ama-logs-gqs28 | Volume: host-root - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/hostname | Pod: ama-logs-gqs28 | Volume: container-hostname - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: ama-logs-gqs28 | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/mdsd-ci | Pod: ama-logs-gqs28 | Volume: mdsd-sock - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/docker/containers | Pod: ama-logs-gqs28 | Volume: containerlog-path - Issue: hostPath volume used | Namespace: kube-system | Path: /mnt/docker | Pod: ama-logs-gqs28 | Volume: containerlog-path-2 - Issue: hostPath volume used | Namespace: kube-system | Path: /mnt/containers | Pod: ama-logs-gqs28 | Volume: containerlog-path-3 - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes | Pod: ama-logs-gqs28 | Volume: azure-json-path - Issue: hostPath volume used | Namespace: kube-system | Path: / | Pod: ama-logs-ndxrw | Volume: host-root - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/hostname | Pod: ama-logs-ndxrw | Volume: container-hostname - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: ama-logs-ndxrw | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/mdsd-ci | Pod: ama-logs-ndxrw | Volume: mdsd-sock - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/docker/containers | Pod: ama-logs-ndxrw | Volume: containerlog-path - Issue: hostPath volume used | Namespace: kube-system | Path: /mnt/docker | Pod: ama-logs-ndxrw | Volume: containerlog-path-2 - Issue: hostPath volume used | Namespace: kube-system | Path: /mnt/containers | Pod: ama-logs-ndxrw | Volume: containerlog-path-3 - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes | Pod: ama-logs-ndxrw | Volume: azure-json-path - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/hostname | Pod: ama-logs-rs-64765bd4b9-ldxwl | Volume: container-hostname - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: ama-logs-rs-64765bd4b9-ldxwl | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes | Pod: ama-logs-rs-64765bd4b9-ldxwl | Volume: azure-json-path - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log/containers | Pod: ama-metrics-7f878d975f-hlggb | Volume: host-log-containers - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log/pods | Pod: ama-metrics-7f878d975f-hlggb | Volume: host-log-pods - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/pki/ca-trust/anchors/ | Pod: ama-metrics-7f878d975f-hlggb | Volume: anchors-mariner - Issue: hostPath volume used | Namespace: kube-system | Path: /usr/local/share/ca-certificates/ | Pod: ama-metrics-7f878d975f-hlggb | Volume: anchors-ubuntu - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log/containers | Pod: ama-metrics-7f878d975f-q2mlg | Volume: host-log-containers - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log/pods | Pod: ama-metrics-7f878d975f-q2mlg | Volume: host-log-pods - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/pki/ca-trust/anchors/ | Pod: ama-metrics-7f878d975f-q2mlg | Volume: anchors-mariner - Issue: hostPath volume used | Namespace: kube-system | Path: /usr/local/share/ca-certificates/ | Pod: ama-metrics-7f878d975f-q2mlg | Volume: anchors-ubuntu - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log/containers | Pod: ama-metrics-node-2ssrw | Volume: host-log-containers - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log/pods | Pod: ama-metrics-node-2ssrw | Volume: host-log-pods - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/pki/ca-trust/anchors/ | Pod: ama-metrics-node-2ssrw | Volume: anchors-mariner - Issue: hostPath volume used | Namespace: kube-system | Path: /usr/local/share/ca-certificates/ | Pod: ama-metrics-node-2ssrw | Volume: anchors-ubuntu - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log/containers | Pod: ama-metrics-node-6kkz8 | Volume: host-log-containers - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log/pods | Pod: ama-metrics-node-6kkz8 | Volume: host-log-pods - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/pki/ca-trust/anchors/ | Pod: ama-metrics-node-6kkz8 | Volume: anchors-mariner - Issue: hostPath volume used | Namespace: kube-system | Path: /usr/local/share/ca-certificates/ | Pod: ama-metrics-node-6kkz8 | Volume: anchors-ubuntu - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log/containers | Pod: ama-metrics-node-9h44h | Volume: host-log-containers - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log/pods | Pod: ama-metrics-node-9h44h | Volume: host-log-pods - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/pki/ca-trust/anchors/ | Pod: ama-metrics-node-9h44h | Volume: anchors-mariner - Issue: hostPath volume used | Namespace: kube-system | Path: /usr/local/share/ca-certificates/ | Pod: ama-metrics-node-9h44h | Volume: anchors-ubuntu - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log/containers | Pod: ama-metrics-node-lhk42 | Volume: host-log-containers - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log/pods | Pod: ama-metrics-node-lhk42 | Volume: host-log-pods - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/pki/ca-trust/anchors/ | Pod: ama-metrics-node-lhk42 | Volume: anchors-mariner - Issue: hostPath volume used | Namespace: kube-system | Path: /usr/local/share/ca-certificates/ | Pod: ama-metrics-node-lhk42 | Volume: anchors-ubuntu - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log/containers | Pod: ama-metrics-node-nm5bf | Volume: host-log-containers - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log/pods | Pod: ama-metrics-node-nm5bf | Volume: host-log-pods - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/pki/ca-trust/anchors/ | Pod: ama-metrics-node-nm5bf | Volume: anchors-mariner - Issue: hostPath volume used | Namespace: kube-system | Path: /usr/local/share/ca-certificates/ | Pod: ama-metrics-node-nm5bf | Volume: anchors-ubuntu - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log/containers | Pod: ama-metrics-node-pqcz5 | Volume: host-log-containers - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log/pods | Pod: ama-metrics-node-pqcz5 | Volume: host-log-pods - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/pki/ca-trust/anchors/ | Pod: ama-metrics-node-pqcz5 | Volume: anchors-mariner - Issue: hostPath volume used | Namespace: kube-system | Path: /usr/local/share/ca-certificates/ | Pod: ama-metrics-node-pqcz5 | Volume: anchors-ubuntu - Issue: hostPath volume used | Namespace: kube-system | Path: /run/xtables.lock | Pod: azure-ip-masq-agent-4522j | Volume: iptableslock - Issue: hostPath volume used | Namespace: kube-system | Path: /run/xtables.lock | Pod: azure-ip-masq-agent-4c7cr | Volume: iptableslock - Issue: hostPath volume used | Namespace: kube-system | Path: /run/xtables.lock | Pod: azure-ip-masq-agent-78rnw | Volume: iptableslock - Issue: hostPath volume used | Namespace: kube-system | Path: /run/xtables.lock | Pod: azure-ip-masq-agent-84ltn | Volume: iptableslock - Issue: hostPath volume used | Namespace: kube-system | Path: /run/xtables.lock | Pod: azure-ip-masq-agent-t4c2w | Volume: iptableslock - Issue: hostPath volume used | Namespace: kube-system | Path: /run/xtables.lock | Pod: azure-ip-masq-agent-vbdd8 | Volume: iptableslock - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: azure-npm-jsbbh | Volume: log - Issue: hostPath volume used | Namespace: kube-system | Path: /run/xtables.lock | Pod: azure-npm-jsbbh | Volume: xtables-lock - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/protocols | Pod: azure-npm-jsbbh | Volume: protocols - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: azure-npm-lp6sf | Volume: log - Issue: hostPath volume used | Namespace: kube-system | Path: /run/xtables.lock | Pod: azure-npm-lp6sf | Volume: xtables-lock - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/protocols | Pod: azure-npm-lp6sf | Volume: protocols - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: azure-npm-nv6xx | Volume: log - Issue: hostPath volume used | Namespace: kube-system | Path: /run/xtables.lock | Pod: azure-npm-nv6xx | Volume: xtables-lock - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/protocols | Pod: azure-npm-nv6xx | Volume: protocols - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: azure-npm-p6fpw | Volume: log - Issue: hostPath volume used | Namespace: kube-system | Path: /run/xtables.lock | Pod: azure-npm-p6fpw | Volume: xtables-lock - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/protocols | Pod: azure-npm-p6fpw | Volume: protocols - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: azure-npm-vsrfp | Volume: log - Issue: hostPath volume used | Namespace: kube-system | Path: /run/xtables.lock | Pod: azure-npm-vsrfp | Volume: xtables-lock - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/protocols | Pod: azure-npm-vsrfp | Volume: protocols - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: azure-npm-z8mcz | Volume: log - Issue: hostPath volume used | Namespace: kube-system | Path: /run/xtables.lock | Pod: azure-npm-z8mcz | Volume: xtables-lock - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/protocols | Pod: azure-npm-z8mcz | Volume: protocols - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes/azure.json | Pod: azure-policy-698f7c86b4-nnff2 | Volume: acs-credential - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/ssl/certs | Pod: azure-policy-698f7c86b4-nnff2 | Volume: ca-certs - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/pki/ca-trust/extracted | Pod: azure-policy-698f7c86b4-nnff2 | Volume: etc-pki-ca-certs - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: extension-agent-66c4486d68-46cqq | Volume: varlog - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/docker/containers | Pod: extension-agent-66c4486d68-46cqq | Volume: varlibdockercontainers - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes/azure.json | Pod: extension-agent-66c4486d68-46cqq | Volume: acs-credential - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: extension-operator-d95fd449b-ssrcx | Volume: varlog - Issue: hostPath volume used | Namespace: kube-system | Path: /var/lib/docker/containers | Pod: extension-operator-d95fd449b-ssrcx | Volume: varlibdockercontainers - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes/azure.json | Pod: extension-operator-d95fd449b-ssrcx | Volume: acs-credential - Issue: hostPath volume used | Namespace: kube-system | Path: /run/xtables.lock | Pod: kube-proxy-26xkd | Volume: iptableslock - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/sysctl.d | Pod: kube-proxy-26xkd | Volume: sysctls - Issue: hostPath volume used | Namespace: kube-system | Path: /lib/modules | Pod: kube-proxy-26xkd | Volume: modules - Issue: hostPath volume used | Namespace: kube-system | Path: /run/xtables.lock | Pod: kube-proxy-6mrql | Volume: iptableslock - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/sysctl.d | Pod: kube-proxy-6mrql | Volume: sysctls - Issue: hostPath volume used | Namespace: kube-system | Path: /lib/modules | Pod: kube-proxy-6mrql | Volume: modules - Issue: hostPath volume used | Namespace: kube-system | Path: /run/xtables.lock | Pod: kube-proxy-9rbxf | Volume: iptableslock - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/sysctl.d | Pod: kube-proxy-9rbxf | Volume: sysctls - Issue: hostPath volume used | Namespace: kube-system | Path: /lib/modules | Pod: kube-proxy-9rbxf | Volume: modules - Issue: hostPath volume used | Namespace: kube-system | Path: /run/xtables.lock | Pod: kube-proxy-njzgk | Volume: iptableslock - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/sysctl.d | Pod: kube-proxy-njzgk | Volume: sysctls - Issue: hostPath volume used | Namespace: kube-system | Path: /lib/modules | Pod: kube-proxy-njzgk | Volume: modules - Issue: hostPath volume used | Namespace: kube-system | Path: /run/xtables.lock | Pod: kube-proxy-rvmxl | Volume: iptableslock - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/sysctl.d | Pod: kube-proxy-rvmxl | Volume: sysctls - Issue: hostPath volume used | Namespace: kube-system | Path: /lib/modules | Pod: kube-proxy-rvmxl | Volume: modules - Issue: hostPath volume used | Namespace: kube-system | Path: /run/xtables.lock | Pod: kube-proxy-vp7xj | Volume: iptableslock - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/sysctl.d | Pod: kube-proxy-vp7xj | Volume: sysctls - Issue: hostPath volume used | Namespace: kube-system | Path: /lib/modules | Pod: kube-proxy-vp7xj | Volume: modules - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: microsoft-defender-collector-ds-6xdfq | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/kernel | Pod: microsoft-defender-collector-ds-6xdfq | Volume: debugfs - Issue: hostPath volume used | Namespace: kube-system | Path: /lib/modules | Pod: microsoft-defender-collector-ds-6xdfq | Volume: modules - Issue: hostPath volume used | Namespace: kube-system | Path: /usr/src | Pod: microsoft-defender-collector-ds-6xdfq | Volume: usr-src - Issue: hostPath volume used | Namespace: kube-system | Path: /run/containerd/containerd.sock | Pod: microsoft-defender-collector-ds-6xdfq | Volume: containerd-file-sock - Issue: hostPath volume used | Namespace: kube-system | Path: /proc | Pod: microsoft-defender-collector-ds-6xdfq | Volume: proc - Issue: hostPath volume used | Namespace: kube-system | Path: /bin | Pod: microsoft-defender-collector-ds-6xdfq | Volume: bin - Issue: hostPath volume used | Namespace: kube-system | Path: /etc | Pod: microsoft-defender-collector-ds-6xdfq | Volume: etc - Issue: hostPath volume used | Namespace: kube-system | Path: /opt | Pod: microsoft-defender-collector-ds-6xdfq | Volume: opt - Issue: hostPath volume used | Namespace: kube-system | Path: /usr | Pod: microsoft-defender-collector-ds-6xdfq | Volume: usr - Issue: hostPath volume used | Namespace: kube-system | Path: /run | Pod: microsoft-defender-collector-ds-6xdfq | Volume: run - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/fs/bpf | Pod: microsoft-defender-collector-ds-6xdfq | Volume: bpffs - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: microsoft-defender-collector-ds-89l74 | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/kernel | Pod: microsoft-defender-collector-ds-89l74 | Volume: debugfs - Issue: hostPath volume used | Namespace: kube-system | Path: /lib/modules | Pod: microsoft-defender-collector-ds-89l74 | Volume: modules - Issue: hostPath volume used | Namespace: kube-system | Path: /usr/src | Pod: microsoft-defender-collector-ds-89l74 | Volume: usr-src - Issue: hostPath volume used | Namespace: kube-system | Path: /run/containerd/containerd.sock | Pod: microsoft-defender-collector-ds-89l74 | Volume: containerd-file-sock - Issue: hostPath volume used | Namespace: kube-system | Path: /proc | Pod: microsoft-defender-collector-ds-89l74 | Volume: proc - Issue: hostPath volume used | Namespace: kube-system | Path: /bin | Pod: microsoft-defender-collector-ds-89l74 | Volume: bin - Issue: hostPath volume used | Namespace: kube-system | Path: /etc | Pod: microsoft-defender-collector-ds-89l74 | Volume: etc - Issue: hostPath volume used | Namespace: kube-system | Path: /opt | Pod: microsoft-defender-collector-ds-89l74 | Volume: opt - Issue: hostPath volume used | Namespace: kube-system | Path: /usr | Pod: microsoft-defender-collector-ds-89l74 | Volume: usr - Issue: hostPath volume used | Namespace: kube-system | Path: /run | Pod: microsoft-defender-collector-ds-89l74 | Volume: run - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/fs/bpf | Pod: microsoft-defender-collector-ds-89l74 | Volume: bpffs - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: microsoft-defender-collector-ds-d7gwk | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/kernel | Pod: microsoft-defender-collector-ds-d7gwk | Volume: debugfs - Issue: hostPath volume used | Namespace: kube-system | Path: /lib/modules | Pod: microsoft-defender-collector-ds-d7gwk | Volume: modules - Issue: hostPath volume used | Namespace: kube-system | Path: /usr/src | Pod: microsoft-defender-collector-ds-d7gwk | Volume: usr-src - Issue: hostPath volume used | Namespace: kube-system | Path: /run/containerd/containerd.sock | Pod: microsoft-defender-collector-ds-d7gwk | Volume: containerd-file-sock - Issue: hostPath volume used | Namespace: kube-system | Path: /proc | Pod: microsoft-defender-collector-ds-d7gwk | Volume: proc - Issue: hostPath volume used | Namespace: kube-system | Path: /bin | Pod: microsoft-defender-collector-ds-d7gwk | Volume: bin - Issue: hostPath volume used | Namespace: kube-system | Path: /etc | Pod: microsoft-defender-collector-ds-d7gwk | Volume: etc - Issue: hostPath volume used | Namespace: kube-system | Path: /opt | Pod: microsoft-defender-collector-ds-d7gwk | Volume: opt - Issue: hostPath volume used | Namespace: kube-system | Path: /usr | Pod: microsoft-defender-collector-ds-d7gwk | Volume: usr - Issue: hostPath volume used | Namespace: kube-system | Path: /run | Pod: microsoft-defender-collector-ds-d7gwk | Volume: run - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/fs/bpf | Pod: microsoft-defender-collector-ds-d7gwk | Volume: bpffs - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: microsoft-defender-collector-ds-mdcs8 | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/kernel | Pod: microsoft-defender-collector-ds-mdcs8 | Volume: debugfs - Issue: hostPath volume used | Namespace: kube-system | Path: /lib/modules | Pod: microsoft-defender-collector-ds-mdcs8 | Volume: modules - Issue: hostPath volume used | Namespace: kube-system | Path: /usr/src | Pod: microsoft-defender-collector-ds-mdcs8 | Volume: usr-src - Issue: hostPath volume used | Namespace: kube-system | Path: /run/containerd/containerd.sock | Pod: microsoft-defender-collector-ds-mdcs8 | Volume: containerd-file-sock - Issue: hostPath volume used | Namespace: kube-system | Path: /proc | Pod: microsoft-defender-collector-ds-mdcs8 | Volume: proc - Issue: hostPath volume used | Namespace: kube-system | Path: /bin | Pod: microsoft-defender-collector-ds-mdcs8 | Volume: bin - Issue: hostPath volume used | Namespace: kube-system | Path: /etc | Pod: microsoft-defender-collector-ds-mdcs8 | Volume: etc - Issue: hostPath volume used | Namespace: kube-system | Path: /opt | Pod: microsoft-defender-collector-ds-mdcs8 | Volume: opt - Issue: hostPath volume used | Namespace: kube-system | Path: /usr | Pod: microsoft-defender-collector-ds-mdcs8 | Volume: usr - Issue: hostPath volume used | Namespace: kube-system | Path: /run | Pod: microsoft-defender-collector-ds-mdcs8 | Volume: run - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/fs/bpf | Pod: microsoft-defender-collector-ds-mdcs8 | Volume: bpffs - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: microsoft-defender-collector-ds-q6d6c | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/kernel | Pod: microsoft-defender-collector-ds-q6d6c | Volume: debugfs - Issue: hostPath volume used | Namespace: kube-system | Path: /lib/modules | Pod: microsoft-defender-collector-ds-q6d6c | Volume: modules - Issue: hostPath volume used | Namespace: kube-system | Path: /usr/src | Pod: microsoft-defender-collector-ds-q6d6c | Volume: usr-src - Issue: hostPath volume used | Namespace: kube-system | Path: /run/containerd/containerd.sock | Pod: microsoft-defender-collector-ds-q6d6c | Volume: containerd-file-sock - Issue: hostPath volume used | Namespace: kube-system | Path: /proc | Pod: microsoft-defender-collector-ds-q6d6c | Volume: proc - Issue: hostPath volume used | Namespace: kube-system | Path: /bin | Pod: microsoft-defender-collector-ds-q6d6c | Volume: bin - Issue: hostPath volume used | Namespace: kube-system | Path: /etc | Pod: microsoft-defender-collector-ds-q6d6c | Volume: etc - Issue: hostPath volume used | Namespace: kube-system | Path: /opt | Pod: microsoft-defender-collector-ds-q6d6c | Volume: opt - Issue: hostPath volume used | Namespace: kube-system | Path: /usr | Pod: microsoft-defender-collector-ds-q6d6c | Volume: usr - Issue: hostPath volume used | Namespace: kube-system | Path: /run | Pod: microsoft-defender-collector-ds-q6d6c | Volume: run - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/fs/bpf | Pod: microsoft-defender-collector-ds-q6d6c | Volume: bpffs - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: microsoft-defender-collector-ds-wb5dm | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/kernel | Pod: microsoft-defender-collector-ds-wb5dm | Volume: debugfs - Issue: hostPath volume used | Namespace: kube-system | Path: /lib/modules | Pod: microsoft-defender-collector-ds-wb5dm | Volume: modules - Issue: hostPath volume used | Namespace: kube-system | Path: /usr/src | Pod: microsoft-defender-collector-ds-wb5dm | Volume: usr-src - Issue: hostPath volume used | Namespace: kube-system | Path: /run/containerd/containerd.sock | Pod: microsoft-defender-collector-ds-wb5dm | Volume: containerd-file-sock - Issue: hostPath volume used | Namespace: kube-system | Path: /proc | Pod: microsoft-defender-collector-ds-wb5dm | Volume: proc - Issue: hostPath volume used | Namespace: kube-system | Path: /bin | Pod: microsoft-defender-collector-ds-wb5dm | Volume: bin - Issue: hostPath volume used | Namespace: kube-system | Path: /etc | Pod: microsoft-defender-collector-ds-wb5dm | Volume: etc - Issue: hostPath volume used | Namespace: kube-system | Path: /opt | Pod: microsoft-defender-collector-ds-wb5dm | Volume: opt - Issue: hostPath volume used | Namespace: kube-system | Path: /usr | Pod: microsoft-defender-collector-ds-wb5dm | Volume: usr - Issue: hostPath volume used | Namespace: kube-system | Path: /run | Pod: microsoft-defender-collector-ds-wb5dm | Volume: run - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/fs/bpf | Pod: microsoft-defender-collector-ds-wb5dm | Volume: bpffs - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: microsoft-defender-collector-misc-7df6776447-bcbph | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /var/microsoft/microsoft-defender-for-cloud | Pod: microsoft-defender-publisher-ds-2ql5b | Volume: cert-onboarding - Issue: hostPath volume used | Namespace: kube-system | Path: / | Pod: microsoft-defender-publisher-ds-2ql5b | Volume: host-root - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run | Pod: microsoft-defender-publisher-ds-2ql5b | Volume: docker-sock - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/hostname | Pod: microsoft-defender-publisher-ds-2ql5b | Volume: container-hostname - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: microsoft-defender-publisher-ds-2ql5b | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes | Pod: microsoft-defender-publisher-ds-2ql5b | Volume: azure-json-path - Issue: hostPath volume used | Namespace: kube-system | Path: /var/microsoft/microsoft-defender-for-cloud | Pod: microsoft-defender-publisher-ds-2rsrw | Volume: cert-onboarding - Issue: hostPath volume used | Namespace: kube-system | Path: / | Pod: microsoft-defender-publisher-ds-2rsrw | Volume: host-root - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run | Pod: microsoft-defender-publisher-ds-2rsrw | Volume: docker-sock - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/hostname | Pod: microsoft-defender-publisher-ds-2rsrw | Volume: container-hostname - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: microsoft-defender-publisher-ds-2rsrw | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes | Pod: microsoft-defender-publisher-ds-2rsrw | Volume: azure-json-path - Issue: hostPath volume used | Namespace: kube-system | Path: /var/microsoft/microsoft-defender-for-cloud | Pod: microsoft-defender-publisher-ds-jj6dh | Volume: cert-onboarding - Issue: hostPath volume used | Namespace: kube-system | Path: / | Pod: microsoft-defender-publisher-ds-jj6dh | Volume: host-root - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run | Pod: microsoft-defender-publisher-ds-jj6dh | Volume: docker-sock - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/hostname | Pod: microsoft-defender-publisher-ds-jj6dh | Volume: container-hostname - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: microsoft-defender-publisher-ds-jj6dh | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes | Pod: microsoft-defender-publisher-ds-jj6dh | Volume: azure-json-path - Issue: hostPath volume used | Namespace: kube-system | Path: /var/microsoft/microsoft-defender-for-cloud | Pod: microsoft-defender-publisher-ds-l5crs | Volume: cert-onboarding - Issue: hostPath volume used | Namespace: kube-system | Path: / | Pod: microsoft-defender-publisher-ds-l5crs | Volume: host-root - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run | Pod: microsoft-defender-publisher-ds-l5crs | Volume: docker-sock - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/hostname | Pod: microsoft-defender-publisher-ds-l5crs | Volume: container-hostname - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: microsoft-defender-publisher-ds-l5crs | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes | Pod: microsoft-defender-publisher-ds-l5crs | Volume: azure-json-path - Issue: hostPath volume used | Namespace: kube-system | Path: /var/microsoft/microsoft-defender-for-cloud | Pod: microsoft-defender-publisher-ds-lfk8h | Volume: cert-onboarding - Issue: hostPath volume used | Namespace: kube-system | Path: / | Pod: microsoft-defender-publisher-ds-lfk8h | Volume: host-root - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run | Pod: microsoft-defender-publisher-ds-lfk8h | Volume: docker-sock - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/hostname | Pod: microsoft-defender-publisher-ds-lfk8h | Volume: container-hostname - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: microsoft-defender-publisher-ds-lfk8h | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes | Pod: microsoft-defender-publisher-ds-lfk8h | Volume: azure-json-path - Issue: hostPath volume used | Namespace: kube-system | Path: /var/microsoft/microsoft-defender-for-cloud | Pod: microsoft-defender-publisher-ds-vz2c6 | Volume: cert-onboarding - Issue: hostPath volume used | Namespace: kube-system | Path: / | Pod: microsoft-defender-publisher-ds-vz2c6 | Volume: host-root - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run | Pod: microsoft-defender-publisher-ds-vz2c6 | Volume: docker-sock - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/hostname | Pod: microsoft-defender-publisher-ds-vz2c6 | Volume: container-hostname - Issue: hostPath volume used | Namespace: kube-system | Path: /var/log | Pod: microsoft-defender-publisher-ds-vz2c6 | Volume: host-log - Issue: hostPath volume used | Namespace: kube-system | Path: /etc/kubernetes | Pod: microsoft-defender-publisher-ds-vz2c6 | Volume: azure-json-path - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/kernel/debug | Pod: retina-agent-cgv48 | Volume: debug - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/kernel/tracing | Pod: retina-agent-cgv48 | Volume: trace - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/fs/bpf | Pod: retina-agent-cgv48 | Volume: bpf - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/fs/cgroup | Pod: retina-agent-cgv48 | Volume: cgroup - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/cilium | Pod: retina-agent-cgv48 | Volume: cilium - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/kernel/debug | Pod: retina-agent-gjxk8 | Volume: debug - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/kernel/tracing | Pod: retina-agent-gjxk8 | Volume: trace - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/fs/bpf | Pod: retina-agent-gjxk8 | Volume: bpf - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/fs/cgroup | Pod: retina-agent-gjxk8 | Volume: cgroup - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/cilium | Pod: retina-agent-gjxk8 | Volume: cilium - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/kernel/debug | Pod: retina-agent-js76w | Volume: debug - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/kernel/tracing | Pod: retina-agent-js76w | Volume: trace - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/fs/bpf | Pod: retina-agent-js76w | Volume: bpf - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/fs/cgroup | Pod: retina-agent-js76w | Volume: cgroup - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/cilium | Pod: retina-agent-js76w | Volume: cilium - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/kernel/debug | Pod: retina-agent-lfn7d | Volume: debug - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/kernel/tracing | Pod: retina-agent-lfn7d | Volume: trace - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/fs/bpf | Pod: retina-agent-lfn7d | Volume: bpf - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/fs/cgroup | Pod: retina-agent-lfn7d | Volume: cgroup - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/cilium | Pod: retina-agent-lfn7d | Volume: cilium - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/kernel/debug | Pod: retina-agent-qc9bs | Volume: debug - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/kernel/tracing | Pod: retina-agent-qc9bs | Volume: trace - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/fs/bpf | Pod: retina-agent-qc9bs | Volume: bpf - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/fs/cgroup | Pod: retina-agent-qc9bs | Volume: cgroup - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/cilium | Pod: retina-agent-qc9bs | Volume: cilium - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/kernel/debug | Pod: retina-agent-wlt7b | Volume: debug - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/kernel/tracing | Pod: retina-agent-wlt7b | Volume: trace - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/fs/bpf | Pod: retina-agent-wlt7b | Volume: bpf - Issue: hostPath volume used | Namespace: kube-system | Path: /sys/fs/cgroup | Pod: retina-agent-wlt7b | Volume: cgroup - Issue: hostPath volume used | Namespace: kube-system | Path: /var/run/cilium | Pod: retina-agent-wlt7b | Volume: cilium [SEC011 - Containers Running as UID 0] Section: Security Category: Pod Security Severity: High Recommendation: Avoid setting runAsUser to 0. Use non-root UIDs for better isolation. URL: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ⚠️ Total Issues: 13 - Container: provider-azure-installer | Issue: Container runs as UID 0 | Namespace: kube-system | Pod: aks-secrets-store-provider-azure-68nhw | UID: 0 - Container: provider-azure-installer | Issue: Container runs as UID 0 | Namespace: kube-system | Pod: aks-secrets-store-provider-azure-7bqmn | UID: 0 - Container: provider-azure-installer | Issue: Container runs as UID 0 | Namespace: kube-system | Pod: aks-secrets-store-provider-azure-7r458 | UID: 0 - Container: provider-azure-installer | Issue: Container runs as UID 0 | Namespace: kube-system | Pod: aks-secrets-store-provider-azure-k9tdc | UID: 0 - Container: provider-azure-installer | Issue: Container runs as UID 0 | Namespace: kube-system | Pod: aks-secrets-store-provider-azure-n952g | UID: 0 - Container: provider-azure-installer | Issue: Container runs as UID 0 | Namespace: kube-system | Pod: aks-secrets-store-provider-azure-njpqh | UID: 0 - Container: azure-policy | Issue: Container runs as UID 0 | Namespace: kube-system | Pod: azure-policy-698f7c86b4-nnff2 | UID: 0 - Container: retina | Issue: Container runs as UID 0 | Namespace: kube-system | Pod: retina-agent-cgv48 | UID: 0 - Container: retina | Issue: Container runs as UID 0 | Namespace: kube-system | Pod: retina-agent-gjxk8 | UID: 0 - Container: retina | Issue: Container runs as UID 0 | Namespace: kube-system | Pod: retina-agent-js76w | UID: 0 - Container: retina | Issue: Container runs as UID 0 | Namespace: kube-system | Pod: retina-agent-lfn7d | UID: 0 - Container: retina | Issue: Container runs as UID 0 | Namespace: kube-system | Pod: retina-agent-qc9bs | UID: 0 - Container: retina | Issue: Container runs as UID 0 | Namespace: kube-system | Pod: retina-agent-wlt7b | UID: 0 [SEC012 - Added Linux Capabilities] Section: Security Category: Pod Security Severity: Medium Recommendation: Avoid adding capabilities unless necessary. Most apps don’t need them. URL: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted ⚠️ Total Issues: 70 - Capabilities: NET_BIND_SERVICE | Container: controller | Issue: Added Linux capabilities | Namespace: app-routing-system | Pod: nginx-69fcb489fd-4wgk9 - Capabilities: NET_BIND_SERVICE | Container: controller | Issue: Added Linux capabilities | Namespace: app-routing-system | Pod: nginx-69fcb489fd-64v6k - Capabilities: DAC_OVERRIDE | Container: ama-logs | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-logs-4v8mz - Capabilities: DAC_OVERRIDE | Container: ama-logs-prometheus | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-logs-4v8mz - Capabilities: DAC_OVERRIDE | Container: ama-logs | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-logs-5vr2w - Capabilities: DAC_OVERRIDE | Container: ama-logs-prometheus | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-logs-5vr2w - Capabilities: DAC_OVERRIDE | Container: ama-logs | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-logs-fmd7b - Capabilities: DAC_OVERRIDE | Container: ama-logs-prometheus | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-logs-fmd7b - Capabilities: DAC_OVERRIDE | Container: ama-logs | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-logs-fpkw6 - Capabilities: DAC_OVERRIDE | Container: ama-logs-prometheus | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-logs-fpkw6 - Capabilities: DAC_OVERRIDE | Container: ama-logs | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-logs-gqs28 - Capabilities: DAC_OVERRIDE | Container: ama-logs-prometheus | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-logs-gqs28 - Capabilities: DAC_OVERRIDE | Container: ama-logs | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-logs-ndxrw - Capabilities: DAC_OVERRIDE | Container: ama-logs-prometheus | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-logs-ndxrw - Capabilities: DAC_OVERRIDE | Container: ama-logs | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-logs-rs-64765bd4b9-ldxwl - Capabilities: DAC_OVERRIDE | Container: prometheus-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-metrics-7f878d975f-hlggb - Capabilities: NET_ADMIN, NET_RAW | Container: addon-token-adapter | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-metrics-7f878d975f-hlggb - Capabilities: DAC_OVERRIDE | Container: prometheus-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-metrics-7f878d975f-q2mlg - Capabilities: NET_ADMIN, NET_RAW | Container: addon-token-adapter | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-metrics-7f878d975f-q2mlg - Capabilities: DAC_OVERRIDE | Container: prometheus-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-metrics-node-2ssrw - Capabilities: NET_ADMIN, NET_RAW | Container: addon-token-adapter | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-metrics-node-2ssrw - Capabilities: DAC_OVERRIDE | Container: prometheus-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-metrics-node-6kkz8 - Capabilities: NET_ADMIN, NET_RAW | Container: addon-token-adapter | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-metrics-node-6kkz8 - Capabilities: DAC_OVERRIDE | Container: prometheus-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-metrics-node-9h44h - Capabilities: NET_ADMIN, NET_RAW | Container: addon-token-adapter | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-metrics-node-9h44h - Capabilities: DAC_OVERRIDE | Container: prometheus-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-metrics-node-lhk42 - Capabilities: NET_ADMIN, NET_RAW | Container: addon-token-adapter | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-metrics-node-lhk42 - Capabilities: DAC_OVERRIDE | Container: prometheus-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-metrics-node-nm5bf - Capabilities: NET_ADMIN, NET_RAW | Container: addon-token-adapter | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-metrics-node-nm5bf - Capabilities: DAC_OVERRIDE | Container: prometheus-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-metrics-node-pqcz5 - Capabilities: NET_ADMIN, NET_RAW | Container: addon-token-adapter | Issue: Added Linux capabilities | Namespace: kube-system | Pod: ama-metrics-node-pqcz5 - Capabilities: NET_ADMIN, NET_RAW | Container: azure-ip-masq-agent | Issue: Added Linux capabilities | Namespace: kube-system | Pod: azure-ip-masq-agent-4522j - Capabilities: NET_ADMIN, NET_RAW | Container: azure-ip-masq-agent | Issue: Added Linux capabilities | Namespace: kube-system | Pod: azure-ip-masq-agent-4c7cr - Capabilities: NET_ADMIN, NET_RAW | Container: azure-ip-masq-agent | Issue: Added Linux capabilities | Namespace: kube-system | Pod: azure-ip-masq-agent-78rnw - Capabilities: NET_ADMIN, NET_RAW | Container: azure-ip-masq-agent | Issue: Added Linux capabilities | Namespace: kube-system | Pod: azure-ip-masq-agent-84ltn - Capabilities: NET_ADMIN, NET_RAW | Container: azure-ip-masq-agent | Issue: Added Linux capabilities | Namespace: kube-system | Pod: azure-ip-masq-agent-t4c2w - Capabilities: NET_ADMIN, NET_RAW | Container: azure-ip-masq-agent | Issue: Added Linux capabilities | Namespace: kube-system | Pod: azure-ip-masq-agent-vbdd8 - Capabilities: NET_ADMIN, NET_RAW | Container: azure-npm | Issue: Added Linux capabilities | Namespace: kube-system | Pod: azure-npm-jsbbh - Capabilities: NET_ADMIN, NET_RAW | Container: azure-npm | Issue: Added Linux capabilities | Namespace: kube-system | Pod: azure-npm-lp6sf - Capabilities: NET_ADMIN, NET_RAW | Container: azure-npm | Issue: Added Linux capabilities | Namespace: kube-system | Pod: azure-npm-nv6xx - Capabilities: NET_ADMIN, NET_RAW | Container: azure-npm | Issue: Added Linux capabilities | Namespace: kube-system | Pod: azure-npm-p6fpw - Capabilities: NET_ADMIN, NET_RAW | Container: azure-npm | Issue: Added Linux capabilities | Namespace: kube-system | Pod: azure-npm-vsrfp - Capabilities: NET_ADMIN, NET_RAW | Container: azure-npm | Issue: Added Linux capabilities | Namespace: kube-system | Pod: azure-npm-z8mcz - Capabilities: NET_BIND_SERVICE | Container: coredns | Issue: Added Linux capabilities | Namespace: kube-system | Pod: coredns-658d6d767d-757xp - Capabilities: NET_BIND_SERVICE | Container: coredns | Issue: Added Linux capabilities | Namespace: kube-system | Pod: coredns-658d6d767d-pt6l6 - Capabilities: NET_RAW, NET_ADMIN | Container: microsoft-defender-pod-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-collector-ds-6xdfq - Capabilities: SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW | Container: microsoft-defender-low-level-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-collector-ds-6xdfq - Capabilities: NET_RAW, NET_ADMIN | Container: microsoft-defender-pod-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-collector-ds-89l74 - Capabilities: SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW | Container: microsoft-defender-low-level-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-collector-ds-89l74 - Capabilities: NET_RAW, NET_ADMIN | Container: microsoft-defender-pod-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-collector-ds-d7gwk - Capabilities: SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW | Container: microsoft-defender-low-level-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-collector-ds-d7gwk - Capabilities: NET_RAW, NET_ADMIN | Container: microsoft-defender-pod-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-collector-ds-mdcs8 - Capabilities: SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW | Container: microsoft-defender-low-level-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-collector-ds-mdcs8 - Capabilities: NET_RAW, NET_ADMIN | Container: microsoft-defender-pod-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-collector-ds-q6d6c - Capabilities: SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW | Container: microsoft-defender-low-level-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-collector-ds-q6d6c - Capabilities: NET_RAW, NET_ADMIN | Container: microsoft-defender-pod-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-collector-ds-wb5dm - Capabilities: SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW | Container: microsoft-defender-low-level-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-collector-ds-wb5dm - Capabilities: NET_RAW, NET_ADMIN | Container: microsoft-defender-pod-collector | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-collector-misc-7df6776447-bcbph - Capabilities: NET_RAW, NET_ADMIN | Container: microsoft-defender-publisher | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-2ql5b - Capabilities: NET_RAW, NET_ADMIN | Container: microsoft-defender-publisher | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-2rsrw - Capabilities: NET_RAW, NET_ADMIN | Container: microsoft-defender-publisher | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-jj6dh - Capabilities: NET_RAW, NET_ADMIN | Container: microsoft-defender-publisher | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-l5crs - Capabilities: NET_RAW, NET_ADMIN | Container: microsoft-defender-publisher | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-lfk8h - Capabilities: NET_RAW, NET_ADMIN | Container: microsoft-defender-publisher | Issue: Added Linux capabilities | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-vz2c6 - Capabilities: SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK | Container: retina | Issue: Added Linux capabilities | Namespace: kube-system | Pod: retina-agent-cgv48 - Capabilities: SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK | Container: retina | Issue: Added Linux capabilities | Namespace: kube-system | Pod: retina-agent-gjxk8 - Capabilities: SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK | Container: retina | Issue: Added Linux capabilities | Namespace: kube-system | Pod: retina-agent-js76w - Capabilities: SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK | Container: retina | Issue: Added Linux capabilities | Namespace: kube-system | Pod: retina-agent-lfn7d - Capabilities: SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK | Container: retina | Issue: Added Linux capabilities | Namespace: kube-system | Pod: retina-agent-qc9bs - Capabilities: SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK | Container: retina | Issue: Added Linux capabilities | Namespace: kube-system | Pod: retina-agent-wlt7b [SEC013 - EmptyDir Volume Usage] Section: Security Category: Pod Security Severity: Low Recommendation: Use persistent volumes or configMaps instead of EmptyDir when persistence is required. URL: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir ⚠️ Total Issues: 98 - Issue: EmptyDir volume used | Namespace: aks-istio-ingress | Pod: aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4 | Volume: workload-socket - Issue: EmptyDir volume used | Namespace: aks-istio-ingress | Pod: aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4 | Volume: credential-socket - Issue: EmptyDir volume used | Namespace: aks-istio-ingress | Pod: aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4 | Volume: workload-certs - Issue: EmptyDir volume used | Namespace: aks-istio-ingress | Pod: aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4 | Volume: istio-envoy - Issue: EmptyDir volume used | Namespace: aks-istio-ingress | Pod: aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4 | Volume: istio-data - Issue: EmptyDir volume used | Namespace: aks-istio-ingress | Pod: aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb | Volume: workload-socket - Issue: EmptyDir volume used | Namespace: aks-istio-ingress | Pod: aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb | Volume: credential-socket - Issue: EmptyDir volume used | Namespace: aks-istio-ingress | Pod: aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb | Volume: workload-certs - Issue: EmptyDir volume used | Namespace: aks-istio-ingress | Pod: aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb | Volume: istio-envoy - Issue: EmptyDir volume used | Namespace: aks-istio-ingress | Pod: aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb | Volume: istio-data - Issue: EmptyDir volume used | Namespace: aks-istio-system | Pod: istiod-asm-1-23-7744d5fbf4-9572m | Volume: local-certs - Issue: EmptyDir volume used | Namespace: aks-istio-system | Pod: istiod-asm-1-23-7744d5fbf4-rqzvt | Volume: local-certs - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-application-controller-0 | Volume: argocd-home - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-application-controller-0 | Volume: argocd-application-controller-tmp - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-applicationset-controller-6fdf84dbb6-msffz | Volume: gpg-keyring - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-applicationset-controller-6fdf84dbb6-msffz | Volume: tmp - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-dex-server-556c76889-h4kxj | Volume: static-files - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-dex-server-556c76889-h4kxj | Volume: dexconfig - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-redis-ha-haproxy-fb657456c-kjbkq | Volume: shared-socket - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-redis-ha-haproxy-fb657456c-kjbkq | Volume: data - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-redis-ha-haproxy-fb657456c-kjlpf | Volume: shared-socket - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-redis-ha-haproxy-fb657456c-kjlpf | Volume: data - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-redis-ha-haproxy-fb657456c-tnjmb | Volume: shared-socket - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-redis-ha-haproxy-fb657456c-tnjmb | Volume: data - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-redis-ha-server-0 | Volume: data - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-redis-ha-server-1 | Volume: data - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-redis-ha-server-2 | Volume: data - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-repo-server-8568fc89b5-sx6ks | Volume: gpg-keyring - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-repo-server-8568fc89b5-sx6ks | Volume: tmp - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-repo-server-8568fc89b5-sx6ks | Volume: helm-working-dir - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-repo-server-8568fc89b5-sx6ks | Volume: var-files - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-repo-server-8568fc89b5-sx6ks | Volume: plugins - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-repo-server-8568fc89b5-xrzzn | Volume: gpg-keyring - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-repo-server-8568fc89b5-xrzzn | Volume: tmp - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-repo-server-8568fc89b5-xrzzn | Volume: helm-working-dir - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-repo-server-8568fc89b5-xrzzn | Volume: var-files - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-repo-server-8568fc89b5-xrzzn | Volume: plugins - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-server-54f9645b87-k4rz8 | Volume: plugins-home - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-server-54f9645b87-k4rz8 | Volume: tmp - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-server-54f9645b87-wwzgz | Volume: plugins-home - Issue: EmptyDir volume used | Namespace: argocd | Pod: argocd-server-54f9645b87-wwzgz | Volume: tmp - Issue: EmptyDir volume used | Namespace: gatekeeper-system | Pod: gatekeeper-audit-77858c8f69-7k782 | Volume: tmp-volume - Issue: EmptyDir volume used | Namespace: kiali-operator | Pod: kiali-operator-696bd54db-mr8md | Volume: tmp - Issue: EmptyDir volume used | Namespace: kube-system | Pod: ama-logs-4v8mz | Volume: mdsd-prometheus-sock - Issue: EmptyDir volume used | Namespace: kube-system | Pod: ama-logs-5vr2w | Volume: mdsd-prometheus-sock - Issue: EmptyDir volume used | Namespace: kube-system | Pod: ama-logs-fmd7b | Volume: mdsd-prometheus-sock - Issue: EmptyDir volume used | Namespace: kube-system | Pod: ama-logs-fpkw6 | Volume: mdsd-prometheus-sock - Issue: EmptyDir volume used | Namespace: kube-system | Pod: ama-logs-gqs28 | Volume: mdsd-prometheus-sock - Issue: EmptyDir volume used | Namespace: kube-system | Pod: ama-logs-ndxrw | Volume: mdsd-prometheus-sock - Issue: EmptyDir volume used | Namespace: kube-system | Pod: ama-metrics-operator-targets-66fb46c8d6-vskdg | Volume: ta-config-shared - Issue: EmptyDir volume used | Namespace: kube-system | Pod: azure-npm-jsbbh | Volume: tmp - Issue: EmptyDir volume used | Namespace: kube-system | Pod: azure-npm-lp6sf | Volume: tmp - Issue: EmptyDir volume used | Namespace: kube-system | Pod: azure-npm-nv6xx | Volume: tmp - Issue: EmptyDir volume used | Namespace: kube-system | Pod: azure-npm-p6fpw | Volume: tmp - Issue: EmptyDir volume used | Namespace: kube-system | Pod: azure-npm-vsrfp | Volume: tmp - Issue: EmptyDir volume used | Namespace: kube-system | Pod: azure-npm-z8mcz | Volume: tmp - Issue: EmptyDir volume used | Namespace: kube-system | Pod: coredns-658d6d767d-757xp | Volume: tmp - Issue: EmptyDir volume used | Namespace: kube-system | Pod: coredns-658d6d767d-pt6l6 | Volume: tmp - Issue: EmptyDir volume used | Namespace: kube-system | Pod: metrics-server-5f9ccffcc4-jsrjl | Volume: tmp-dir - Issue: EmptyDir volume used | Namespace: kube-system | Pod: metrics-server-5f9ccffcc4-v88pw | Volume: tmp-dir - Issue: EmptyDir volume used | Namespace: kube-system | Pod: microsoft-defender-collector-ds-6xdfq | Volume: ebpf - Issue: EmptyDir volume used | Namespace: kube-system | Pod: microsoft-defender-collector-ds-89l74 | Volume: ebpf - Issue: EmptyDir volume used | Namespace: kube-system | Pod: microsoft-defender-collector-ds-d7gwk | Volume: ebpf - Issue: EmptyDir volume used | Namespace: kube-system | Pod: microsoft-defender-collector-ds-mdcs8 | Volume: ebpf - Issue: EmptyDir volume used | Namespace: kube-system | Pod: microsoft-defender-collector-ds-q6d6c | Volume: ebpf - Issue: EmptyDir volume used | Namespace: kube-system | Pod: microsoft-defender-collector-ds-wb5dm | Volume: ebpf - Issue: EmptyDir volume used | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-2ql5b | Volume: fluent-bit-conf - Issue: EmptyDir volume used | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-2rsrw | Volume: fluent-bit-conf - Issue: EmptyDir volume used | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-jj6dh | Volume: fluent-bit-conf - Issue: EmptyDir volume used | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-l5crs | Volume: fluent-bit-conf - Issue: EmptyDir volume used | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-lfk8h | Volume: fluent-bit-conf - Issue: EmptyDir volume used | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-vz2c6 | Volume: fluent-bit-conf - Issue: EmptyDir volume used | Namespace: kube-system | Pod: retina-agent-cgv48 | Volume: tmp - Issue: EmptyDir volume used | Namespace: kube-system | Pod: retina-agent-gjxk8 | Volume: tmp - Issue: EmptyDir volume used | Namespace: kube-system | Pod: retina-agent-js76w | Volume: tmp - Issue: EmptyDir volume used | Namespace: kube-system | Pod: retina-agent-lfn7d | Volume: tmp - Issue: EmptyDir volume used | Namespace: kube-system | Pod: retina-agent-qc9bs | Volume: tmp - Issue: EmptyDir volume used | Namespace: kube-system | Pod: retina-agent-wlt7b | Volume: tmp - Issue: EmptyDir volume used | Namespace: pets | Pod: order-service-6c5bfb6946-b58xq | Volume: workload-socket - Issue: EmptyDir volume used | Namespace: pets | Pod: order-service-6c5bfb6946-b58xq | Volume: credential-socket - Issue: EmptyDir volume used | Namespace: pets | Pod: order-service-6c5bfb6946-b58xq | Volume: workload-certs - Issue: EmptyDir volume used | Namespace: pets | Pod: order-service-6c5bfb6946-b58xq | Volume: istio-envoy - Issue: EmptyDir volume used | Namespace: pets | Pod: order-service-6c5bfb6946-b58xq | Volume: istio-data - Issue: EmptyDir volume used | Namespace: pets | Pod: product-service-5dd87dfb8-ssfxc | Volume: workload-socket - Issue: EmptyDir volume used | Namespace: pets | Pod: product-service-5dd87dfb8-ssfxc | Volume: credential-socket - Issue: EmptyDir volume used | Namespace: pets | Pod: product-service-5dd87dfb8-ssfxc | Volume: workload-certs - Issue: EmptyDir volume used | Namespace: pets | Pod: product-service-5dd87dfb8-ssfxc | Volume: istio-envoy - Issue: EmptyDir volume used | Namespace: pets | Pod: product-service-5dd87dfb8-ssfxc | Volume: istio-data - Issue: EmptyDir volume used | Namespace: pets | Pod: rabbitmq-0 | Volume: workload-socket - Issue: EmptyDir volume used | Namespace: pets | Pod: rabbitmq-0 | Volume: credential-socket - Issue: EmptyDir volume used | Namespace: pets | Pod: rabbitmq-0 | Volume: workload-certs - Issue: EmptyDir volume used | Namespace: pets | Pod: rabbitmq-0 | Volume: istio-envoy - Issue: EmptyDir volume used | Namespace: pets | Pod: rabbitmq-0 | Volume: istio-data - Issue: EmptyDir volume used | Namespace: pets | Pod: store-front-658994fd95-pk9qn | Volume: workload-socket - Issue: EmptyDir volume used | Namespace: pets | Pod: store-front-658994fd95-pk9qn | Volume: credential-socket - Issue: EmptyDir volume used | Namespace: pets | Pod: store-front-658994fd95-pk9qn | Volume: workload-certs - Issue: EmptyDir volume used | Namespace: pets | Pod: store-front-658994fd95-pk9qn | Volume: istio-envoy - Issue: EmptyDir volume used | Namespace: pets | Pod: store-front-658994fd95-pk9qn | Volume: istio-data [SEC014 - Untrusted Image Registries] Section: Security Category: Pod Security Severity: High Recommendation: Use only trusted registries. Restrict deployment sources via policy. URL: https://kubernetes.io/docs/concepts/containers/images/ ⚠️ Total Issues: 180 - Container: istio-proxy | Image: mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless | Issue: Image from untrusted registry | Namespace: aks-istio-ingress | Pod: aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4 - Container: istio-proxy | Image: mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless | Issue: Image from untrusted registry | Namespace: aks-istio-ingress | Pod: aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb - Container: discovery | Image: mcr.microsoft.com/oss/istio/pilot:1.23.5-distroless | Issue: Image from untrusted registry | Namespace: aks-istio-system | Pod: istiod-asm-1-23-7744d5fbf4-9572m - Container: discovery | Image: mcr.microsoft.com/oss/istio/pilot:1.23.5-distroless | Issue: Image from untrusted registry | Namespace: aks-istio-system | Pod: istiod-asm-1-23-7744d5fbf4-rqzvt - Container: controller | Image: mcr.microsoft.com/oss/kubernetes/ingress/nginx-ingress-controller:v1.11.5 | Issue: Image from untrusted registry | Namespace: app-routing-system | Pod: nginx-69fcb489fd-4wgk9 - Container: controller | Image: mcr.microsoft.com/oss/kubernetes/ingress/nginx-ingress-controller:v1.11.5 | Issue: Image from untrusted registry | Namespace: app-routing-system | Pod: nginx-69fcb489fd-64v6k - Container: webserver-simple | Image: docker.io/kostiscodefresh/gitops-simple-app:v1.0 | Issue: Image from untrusted registry | Namespace: argo-rollouts | Pod: simple-deployment-74fd649f8d-996vt - Container: webserver-simple | Image: docker.io/kostiscodefresh/gitops-simple-app:v1.0 | Issue: Image from untrusted registry | Namespace: argo-workflows | Pod: simple-deployment-74fd649f8d-24t56 - Container: argocd-application-controller | Image: mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-application-controller-0 - Container: argocd-applicationset-controller | Image: mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-applicationset-controller-6fdf84dbb6-msffz - Container: dex | Image: mcr.microsoft.com/oss/v2/dexidp/dex:v2.41.1 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-dex-server-556c76889-h4kxj - Container: argocd-notifications-controller | Image: mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-notifications-controller-6ff6bf8dd6-nbktr - Container: haproxy | Image: mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-redis-ha-haproxy-fb657456c-kjbkq - Container: haproxy | Image: mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-redis-ha-haproxy-fb657456c-kjlpf - Container: haproxy | Image: mcr.microsoft.com/oss/v2/haproxy/haproxy:v2.9.11 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-redis-ha-haproxy-fb657456c-tnjmb - Container: redis | Image: mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-redis-ha-server-0 - Container: sentinel | Image: mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-redis-ha-server-0 - Container: split-brain-fix | Image: mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-redis-ha-server-0 - Container: redis | Image: mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-redis-ha-server-1 - Container: sentinel | Image: mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-redis-ha-server-1 - Container: split-brain-fix | Image: mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-redis-ha-server-1 - Container: redis | Image: mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-redis-ha-server-2 - Container: sentinel | Image: mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-redis-ha-server-2 - Container: split-brain-fix | Image: mcr.microsoft.com/oss/v2/valkey-io/valkey:v7.2.7 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-redis-ha-server-2 - Container: argocd-repo-server | Image: mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-repo-server-8568fc89b5-sx6ks - Container: argocd-repo-server | Image: mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-repo-server-8568fc89b5-xrzzn - Container: argocd-server | Image: mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-server-54f9645b87-k4rz8 - Container: argocd-server | Image: mcr.microsoft.com/oss/v2/argoproj/argocd:v3.0.0-rc.3-1 | Issue: Image from untrusted registry | Namespace: argocd | Pod: argocd-server-54f9645b87-wwzgz - Container: webserver-simple | Image: docker.io/kostiscodefresh/gitops-simple-app:v1.0 | Issue: Image from untrusted registry | Namespace: cert-manager | Pod: simple-deployment-74fd649f8d-7cht8 - Container: gatekeeper-audit-container | Image: mcr.microsoft.com/oss/v2/open-policy-agent/gatekeeper:v3.18.2-1 | Issue: Image from untrusted registry | Namespace: gatekeeper-system | Pod: gatekeeper-audit-77858c8f69-7k782 - Container: gatekeeper-controller-container | Image: mcr.microsoft.com/oss/v2/open-policy-agent/gatekeeper:v3.18.2-1 | Issue: Image from untrusted registry | Namespace: gatekeeper-system | Pod: gatekeeper-controller-6f97954b4b-7tbnr - Container: gatekeeper-controller-container | Image: mcr.microsoft.com/oss/v2/open-policy-agent/gatekeeper:v3.18.2-1 | Issue: Image from untrusted registry | Namespace: gatekeeper-system | Pod: gatekeeper-controller-6f97954b4b-gwrgg - Container: webserver-simple | Image: docker.io/kostiscodefresh/gitops-simple-app:v1.0 | Issue: Image from untrusted registry | Namespace: grafana | Pod: simple-deployment-74fd649f8d-l7wrd - Container: kiali | Image: quay.io/kiali/kiali:v2.7.1 | Issue: Image from untrusted registry | Namespace: kiali-operator | Pod: kiali-5b88cfb6f8-cm8dz - Container: operator | Image: quay.io/kiali/kiali-operator:v2.7.1 | Issue: Image from untrusted registry | Namespace: kiali-operator | Pod: kiali-operator-696bd54db-mr8md - Container: node-driver-registrar | Image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-2l2wl - Container: secrets-store | Image: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver:v1.4.8 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-2l2wl - Container: liveness-probe | Image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.13.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-2l2wl - Container: node-driver-registrar | Image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-6w2vp - Container: secrets-store | Image: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver:v1.4.8 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-6w2vp - Container: liveness-probe | Image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.13.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-6w2vp - Container: node-driver-registrar | Image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-7879c - Container: secrets-store | Image: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver:v1.4.8 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-7879c - Container: liveness-probe | Image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.13.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-7879c - Container: node-driver-registrar | Image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-m8m29 - Container: secrets-store | Image: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver:v1.4.8 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-m8m29 - Container: liveness-probe | Image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.13.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-m8m29 - Container: node-driver-registrar | Image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-vnmcd - Container: secrets-store | Image: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver:v1.4.8 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-vnmcd - Container: liveness-probe | Image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.13.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-vnmcd - Container: node-driver-registrar | Image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v2.11.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-zrfbz - Container: secrets-store | Image: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver:v1.4.8 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-zrfbz - Container: liveness-probe | Image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.13.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-csi-driver-zrfbz - Container: provider-azure-installer | Image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.6.2 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-provider-azure-68nhw - Container: provider-azure-installer | Image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.6.2 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-provider-azure-7bqmn - Container: provider-azure-installer | Image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.6.2 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-provider-azure-7r458 - Container: provider-azure-installer | Image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.6.2 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-provider-azure-k9tdc - Container: provider-azure-installer | Image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.6.2 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-provider-azure-n952g - Container: provider-azure-installer | Image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.6.2 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: aks-secrets-store-provider-azure-njpqh - Container: ama-logs | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-logs-4v8mz - Container: ama-logs-prometheus | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-logs-4v8mz - Container: ama-logs | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-logs-5vr2w - Container: ama-logs-prometheus | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-logs-5vr2w - Container: ama-logs | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-logs-fmd7b - Container: ama-logs-prometheus | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-logs-fmd7b - Container: ama-logs | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-logs-fpkw6 - Container: ama-logs-prometheus | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-logs-fpkw6 - Container: ama-logs | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-logs-gqs28 - Container: ama-logs-prometheus | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-logs-gqs28 - Container: ama-logs | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-logs-ndxrw - Container: ama-logs-prometheus | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-logs-ndxrw - Container: ama-logs | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.26 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-logs-rs-64765bd4b9-ldxwl - Container: prometheus-collector | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-7f878d975f-hlggb - Container: addon-token-adapter | Image: mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-7f878d975f-hlggb - Container: prometheus-collector | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-7f878d975f-q2mlg - Container: addon-token-adapter | Image: mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-7f878d975f-q2mlg - Container: ama-metrics-ksm | Image: mcr.microsoft.com/oss/kubernetes/kube-state-metrics:v2.12.0 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-ksm-5bd68b9c-8l9lp - Container: prometheus-collector | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-node-2ssrw - Container: addon-token-adapter | Image: mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-node-2ssrw - Container: prometheus-collector | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-node-6kkz8 - Container: addon-token-adapter | Image: mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-node-6kkz8 - Container: prometheus-collector | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-node-9h44h - Container: addon-token-adapter | Image: mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-node-9h44h - Container: prometheus-collector | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-node-lhk42 - Container: addon-token-adapter | Image: mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-node-lhk42 - Container: prometheus-collector | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-node-nm5bf - Container: addon-token-adapter | Image: mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-node-nm5bf - Container: prometheus-collector | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-node-pqcz5 - Container: addon-token-adapter | Image: mcr.microsoft.com/aks/msi/addon-token-adapter:master.250224.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-node-pqcz5 - Container: targetallocator | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c-targetallocator | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-operator-targets-66fb46c8d6-vskdg - Container: config-reader | Image: mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.15.0-main-02-21-2025-4acb2b4c-cfg | Issue: Image from untrusted registry | Namespace: kube-system | Pod: ama-metrics-operator-targets-66fb46c8d6-vskdg - Container: azure-ip-masq-agent | Image: mcr.microsoft.com/oss/v2/azure/ip-masq-agent-v2:v0.1.15-2 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: azure-ip-masq-agent-4522j - Container: azure-ip-masq-agent | Image: mcr.microsoft.com/oss/v2/azure/ip-masq-agent-v2:v0.1.15-2 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: azure-ip-masq-agent-4c7cr - Container: azure-ip-masq-agent | Image: mcr.microsoft.com/oss/v2/azure/ip-masq-agent-v2:v0.1.15-2 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: azure-ip-masq-agent-78rnw - Container: azure-ip-masq-agent | Image: mcr.microsoft.com/oss/v2/azure/ip-masq-agent-v2:v0.1.15-2 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: azure-ip-masq-agent-84ltn - Container: azure-ip-masq-agent | Image: mcr.microsoft.com/oss/v2/azure/ip-masq-agent-v2:v0.1.15-2 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: azure-ip-masq-agent-t4c2w - Container: azure-ip-masq-agent | Image: mcr.microsoft.com/oss/v2/azure/ip-masq-agent-v2:v0.1.15-2 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: azure-ip-masq-agent-vbdd8 - Container: azure-npm | Image: mcr.microsoft.com/containernetworking/azure-npm:v1.5.45 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: azure-npm-jsbbh - Container: azure-npm | Image: mcr.microsoft.com/containernetworking/azure-npm:v1.5.45 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: azure-npm-lp6sf - Container: azure-npm | Image: mcr.microsoft.com/containernetworking/azure-npm:v1.5.45 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: azure-npm-nv6xx - Container: azure-npm | Image: mcr.microsoft.com/containernetworking/azure-npm:v1.5.45 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: azure-npm-p6fpw - Container: azure-npm | Image: mcr.microsoft.com/containernetworking/azure-npm:v1.5.45 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: azure-npm-vsrfp - Container: azure-npm | Image: mcr.microsoft.com/containernetworking/azure-npm:v1.5.45 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: azure-npm-z8mcz - Container: azure-policy | Image: mcr.microsoft.com/azure-policy/policy-kubernetes-addon-prod:1.10.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: azure-policy-698f7c86b4-nnff2 - Container: azure-policy-webhook | Image: mcr.microsoft.com/azure-policy/policy-kubernetes-webhook:1.10.0 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: azure-policy-webhook-764fdf5cd5-6vrc5 - Container: manager | Image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.4.0 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: azure-wi-webhook-controller-manager-7f95f666d4-7r44b - Container: manager | Image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.4.0 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: azure-wi-webhook-controller-manager-7f95f666d4-xfh2p - Container: cloud-node-manager | Image: mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.10 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: cloud-node-manager-57rk2 - Container: cloud-node-manager | Image: mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.10 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: cloud-node-manager-gl5xl - Container: cloud-node-manager | Image: mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.10 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: cloud-node-manager-l7v5j - Container: cloud-node-manager | Image: mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.10 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: cloud-node-manager-lr49d - Container: cloud-node-manager | Image: mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.10 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: cloud-node-manager-n5qdr - Container: cloud-node-manager | Image: mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.30.10 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: cloud-node-manager-xwrrd - Container: coredns | Image: mcr.microsoft.com/oss/v2/kubernetes/coredns:v1.9.4-5 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: coredns-658d6d767d-757xp - Container: coredns | Image: mcr.microsoft.com/oss/v2/kubernetes/coredns:v1.9.4-5 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: coredns-658d6d767d-pt6l6 - Container: autoscaler | Image: mcr.microsoft.com/oss/v2/kubernetes/autoscaler/cluster-proportional-autoscaler:v1.8.11-5 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: coredns-autoscaler-5955d6bbdb-mz9kn - Container: manager | Image: mcr.microsoft.com/oss/v2/eraser/eraser-manager:v1.4.0-2 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: eraser-controller-manager-864f9476c8-lhdfc - Container: extension-agent | Image: mcr.microsoft.com/azurearck8s/aks/stable/config-agent:1.23.3 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: extension-agent-66c4486d68-46cqq - Container: fluent-bit | Image: mcr.microsoft.com/azurearck8s/aks/stable/fluent-bit-collector:1.23.3 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: extension-agent-66c4486d68-46cqq - Container: manager | Image: mcr.microsoft.com/azurearck8s/aks/stable/extensionoperator:1.23.3 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: extension-operator-d95fd449b-ssrcx - Container: fluent-bit | Image: mcr.microsoft.com/azurearck8s/aks/stable/fluent-bit-collector:1.23.3 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: extension-operator-d95fd449b-ssrcx - Container: keda-admission-webhooks | Image: mcr.microsoft.com/oss/kedacore/keda-admission-webhooks:2.14.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: keda-admission-webhooks-787f866c7c-4b64k - Container: keda-admission-webhooks | Image: mcr.microsoft.com/oss/kedacore/keda-admission-webhooks:2.14.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: keda-admission-webhooks-787f866c7c-dw2sg - Container: keda-operator | Image: mcr.microsoft.com/oss/kedacore/keda:2.14.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: keda-operator-6b85944bfb-4zpbp - Container: keda-operator | Image: mcr.microsoft.com/oss/kedacore/keda:2.14.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: keda-operator-6b85944bfb-sx9sj - Container: keda-operator-metrics-apiserver | Image: mcr.microsoft.com/oss/kedacore/keda-metrics-apiserver:2.14.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: keda-operator-metrics-apiserver-8468875db7-86c5h - Container: keda-operator-metrics-apiserver | Image: mcr.microsoft.com/oss/kedacore/keda-metrics-apiserver:2.14.1 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: keda-operator-metrics-apiserver-8468875db7-ngp4h - Container: konnectivity-agent | Image: mcr.microsoft.com/oss/kubernetes/apiserver-network-proxy/agent:v0.30.3-hotfix.20240819 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: konnectivity-agent-9f65c5cd8-fzm5q - Container: konnectivity-agent | Image: mcr.microsoft.com/oss/kubernetes/apiserver-network-proxy/agent:v0.30.3-hotfix.20240819 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: konnectivity-agent-9f65c5cd8-t9qdj - Container: autoscaler | Image: mcr.microsoft.com/oss/v2/kubernetes/autoscaler/cluster-proportional-autoscaler:v1.8.11-5 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: konnectivity-agent-autoscaler-cdfc7c46-vct7p - Container: kube-proxy | Image: mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.30.11 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: kube-proxy-26xkd - Container: kube-proxy | Image: mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.30.11 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: kube-proxy-6mrql - Container: kube-proxy | Image: mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.30.11 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: kube-proxy-9rbxf - Container: kube-proxy | Image: mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.30.11 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: kube-proxy-njzgk - Container: kube-proxy | Image: mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.30.11 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: kube-proxy-rvmxl - Container: kube-proxy | Image: mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.30.11 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: kube-proxy-vp7xj - Container: metrics-server-vpa | Image: mcr.microsoft.com/oss/v2/kubernetes/autoscaler/addon-resizer:v1.8.23-2 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: metrics-server-5f9ccffcc4-jsrjl - Container: metrics-server | Image: mcr.microsoft.com/oss/v2/kubernetes/metrics-server:v0.6.3-5 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: metrics-server-5f9ccffcc4-jsrjl - Container: metrics-server-vpa | Image: mcr.microsoft.com/oss/v2/kubernetes/autoscaler/addon-resizer:v1.8.23-2 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: metrics-server-5f9ccffcc4-v88pw - Container: metrics-server | Image: mcr.microsoft.com/oss/v2/kubernetes/metrics-server:v0.6.3-5 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: metrics-server-5f9ccffcc4-v88pw - Container: microsoft-defender-pod-collector | Image: mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-collector-ds-6xdfq - Container: microsoft-defender-low-level-collector | Image: mcr.microsoft.com/azuredefender/stable/low-level-collector:2.0.198 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-collector-ds-6xdfq - Container: microsoft-defender-pod-collector | Image: mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-collector-ds-89l74 - Container: microsoft-defender-low-level-collector | Image: mcr.microsoft.com/azuredefender/stable/low-level-collector:2.0.198 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-collector-ds-89l74 - Container: microsoft-defender-pod-collector | Image: mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-collector-ds-d7gwk - Container: microsoft-defender-low-level-collector | Image: mcr.microsoft.com/azuredefender/stable/low-level-collector:2.0.198 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-collector-ds-d7gwk - Container: microsoft-defender-pod-collector | Image: mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-collector-ds-mdcs8 - Container: microsoft-defender-low-level-collector | Image: mcr.microsoft.com/azuredefender/stable/low-level-collector:2.0.198 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-collector-ds-mdcs8 - Container: microsoft-defender-pod-collector | Image: mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-collector-ds-q6d6c - Container: microsoft-defender-low-level-collector | Image: mcr.microsoft.com/azuredefender/stable/low-level-collector:2.0.198 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-collector-ds-q6d6c - Container: microsoft-defender-pod-collector | Image: mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-collector-ds-wb5dm - Container: microsoft-defender-low-level-collector | Image: mcr.microsoft.com/azuredefender/stable/low-level-collector:2.0.198 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-collector-ds-wb5dm - Container: microsoft-defender-pod-collector | Image: mcr.microsoft.com/azuredefender/stable/pod-collector:1.0.164 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-collector-misc-7df6776447-bcbph - Container: microsoft-defender-publisher | Image: mcr.microsoft.com/azuredefender/stable/security-publisher:1.0.204 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-2ql5b - Container: microsoft-defender-publisher | Image: mcr.microsoft.com/azuredefender/stable/security-publisher:1.0.204 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-2rsrw - Container: microsoft-defender-publisher | Image: mcr.microsoft.com/azuredefender/stable/security-publisher:1.0.204 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-jj6dh - Container: microsoft-defender-publisher | Image: mcr.microsoft.com/azuredefender/stable/security-publisher:1.0.204 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-l5crs - Container: microsoft-defender-publisher | Image: mcr.microsoft.com/azuredefender/stable/security-publisher:1.0.204 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-lfk8h - Container: microsoft-defender-publisher | Image: mcr.microsoft.com/azuredefender/stable/security-publisher:1.0.204 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: microsoft-defender-publisher-ds-vz2c6 - Container: retina | Image: mcr.microsoft.com/containernetworking/retina-agent:v0.0.30 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: retina-agent-cgv48 - Container: retina | Image: mcr.microsoft.com/containernetworking/retina-agent:v0.0.30 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: retina-agent-gjxk8 - Container: retina | Image: mcr.microsoft.com/containernetworking/retina-agent:v0.0.30 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: retina-agent-js76w - Container: retina | Image: mcr.microsoft.com/containernetworking/retina-agent:v0.0.30 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: retina-agent-lfn7d - Container: retina | Image: mcr.microsoft.com/containernetworking/retina-agent:v0.0.30 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: retina-agent-qc9bs - Container: retina | Image: mcr.microsoft.com/containernetworking/retina-agent:v0.0.30 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: retina-agent-wlt7b - Container: admission-controller | Image: mcr.microsoft.com/oss/kubernetes/autoscaler/vpa-admission-controller:1.0.0 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: vpa-admission-controller-7d9f8d57bd-lrcch - Container: admission-controller | Image: mcr.microsoft.com/oss/kubernetes/autoscaler/vpa-admission-controller:1.0.0 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: vpa-admission-controller-7d9f8d57bd-tnqvx - Container: recommender | Image: mcr.microsoft.com/oss/kubernetes/autoscaler/vpa-recommender:1.0.0 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: vpa-recommender-74bfff7f75-sspdc - Container: updater | Image: mcr.microsoft.com/oss/kubernetes/autoscaler/vpa-updater:1.0.0 | Issue: Image from untrusted registry | Namespace: kube-system | Pod: vpa-updater-5d6d49f8b6-pxkz8 - Container: webserver-simple | Image: docker.io/kostiscodefresh/gitops-simple-app:v1.0 | Issue: Image from untrusted registry | Namespace: kubeview | Pod: simple-deployment-74fd649f8d-qxp2r - Container: webserver-simple | Image: docker.io/kostiscodefresh/gitops-simple-app:v1.0 | Issue: Image from untrusted registry | Namespace: linkerd | Pod: simple-deployment-74fd649f8d-mkmst - Container: webserver-simple | Image: docker.io/kostiscodefresh/gitops-simple-app:v1.0 | Issue: Image from untrusted registry | Namespace: nginx | Pod: simple-deployment-74fd649f8d-hlcdk - Container: istio-proxy | Image: mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless | Issue: Image from untrusted registry | Namespace: pets | Pod: order-service-6c5bfb6946-b58xq - Container: istio-proxy | Image: mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless | Issue: Image from untrusted registry | Namespace: pets | Pod: product-service-5dd87dfb8-ssfxc - Container: rabbitmq | Image: mcr.microsoft.com/mirror/docker/library/rabbitmq:3.10-management-alpine | Issue: Image from untrusted registry | Namespace: pets | Pod: rabbitmq-0 - Container: istio-proxy | Image: mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless | Issue: Image from untrusted registry | Namespace: pets | Pod: rabbitmq-0 - Container: istio-proxy | Image: mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless | Issue: Image from untrusted registry | Namespace: pets | Pod: store-front-658994fd95-pk9qn - Container: webserver-simple | Image: docker.io/kostiscodefresh/gitops-simple-app:v1.0 | Issue: Image from untrusted registry | Namespace: prometheus | Pod: simple-deployment-74fd649f8d-2x6w5 - Container: webserver-simple | Image: docker.io/kostiscodefresh/gitops-simple-app:v1.0 | Issue: Image from untrusted registry | Namespace: sealed-secrets | Pod: simple-deployment-74fd649f8d-stktp - Container: webserver-simple | Image: docker.io/kostiscodefresh/gitops-simple-app:v1.0 | Issue: Image from untrusted registry | Namespace: test | Pod: simple-deployment-74fd649f8d-lhlkx [SEC015 - Pods Using Default ServiceAccount] Section: Security Category: Pod Security Severity: Medium Recommendation: Assign a dedicated ServiceAccount to each workload with least-privilege permissions. URL: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ⚠️ Total Issues: 20 - Issue: Using default ServiceAccount | Namespace: argo-rollouts | Pod: simple-deployment-74fd649f8d-996vt | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: argo-workflows | Pod: simple-deployment-74fd649f8d-24t56 | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: cert-manager | Pod: simple-deployment-74fd649f8d-7cht8 | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: grafana | Pod: simple-deployment-74fd649f8d-l7wrd | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: kube-system | Pod: azure-ip-masq-agent-4522j | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: kube-system | Pod: azure-ip-masq-agent-4c7cr | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: kube-system | Pod: azure-ip-masq-agent-78rnw | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: kube-system | Pod: azure-ip-masq-agent-84ltn | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: kube-system | Pod: azure-ip-masq-agent-t4c2w | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: kube-system | Pod: azure-ip-masq-agent-vbdd8 | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: kubeview | Pod: simple-deployment-74fd649f8d-qxp2r | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: linkerd | Pod: simple-deployment-74fd649f8d-mkmst | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: nginx | Pod: simple-deployment-74fd649f8d-hlcdk | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: pets | Pod: order-service-6c5bfb6946-b58xq | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: pets | Pod: product-service-5dd87dfb8-ssfxc | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: pets | Pod: rabbitmq-0 | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: pets | Pod: store-front-658994fd95-pk9qn | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: prometheus | Pod: simple-deployment-74fd649f8d-2x6w5 | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: sealed-secrets | Pod: simple-deployment-74fd649f8d-stktp | ServiceAccount: default - Issue: Using default ServiceAccount | Namespace: test | Pod: simple-deployment-74fd649f8d-lhlkx | ServiceAccount: default [SEC016 - Non-Existent Secret References] Section: Security Category: Pod Security Severity: High Recommendation: Verify that all Secrets referenced by pods exist in the target namespace. URL: https://kubernetes.io/docs/concepts/configuration/secret/ ⚠️ Total Issues: 33 - Issue: Missing secret reference in volume | Namespace: aks-istio-system | Pod: istiod-asm-1-23-7744d5fbf4-9572m | Secret: cacerts | Volume: cacerts - Issue: Missing secret reference in volume | Namespace: aks-istio-system | Pod: istiod-asm-1-23-7744d5fbf4-9572m | Secret: istio-kubeconfig | Volume: istio-kubeconfig - Issue: Missing secret reference in volume | Namespace: aks-istio-system | Pod: istiod-asm-1-23-7744d5fbf4-9572m | Secret: istiod-tls | Volume: istio-csr-dns-cert - Issue: Missing secret reference in volume | Namespace: aks-istio-system | Pod: istiod-asm-1-23-7744d5fbf4-rqzvt | Secret: cacerts | Volume: cacerts - Issue: Missing secret reference in volume | Namespace: aks-istio-system | Pod: istiod-asm-1-23-7744d5fbf4-rqzvt | Secret: istio-kubeconfig | Volume: istio-kubeconfig - Issue: Missing secret reference in volume | Namespace: aks-istio-system | Pod: istiod-asm-1-23-7744d5fbf4-rqzvt | Secret: istiod-tls | Volume: istio-csr-dns-cert - Issue: Missing secret reference in volume | Namespace: argocd | Pod: argocd-application-controller-0 | Secret: argocd-repo-server-tls | Volume: argocd-repo-server-tls - Issue: Missing secret reference in volume | Namespace: argocd | Pod: argocd-applicationset-controller-6fdf84dbb6-msffz | Secret: argocd-repo-server-tls | Volume: argocd-repo-server-tls - Issue: Missing secret reference in volume | Namespace: argocd | Pod: argocd-dex-server-556c76889-h4kxj | Secret: argocd-dex-server-tls | Volume: argocd-dex-server-tls - Issue: Missing secret reference in volume | Namespace: argocd | Pod: argocd-notifications-controller-6ff6bf8dd6-nbktr | Secret: argocd-repo-server-tls | Volume: argocd-repo-server-tls - Issue: Missing secret reference in volume | Namespace: argocd | Pod: argocd-repo-server-8568fc89b5-sx6ks | Secret: argocd-repo-server-tls | Volume: argocd-repo-server-tls - Issue: Missing secret reference in volume | Namespace: argocd | Pod: argocd-repo-server-8568fc89b5-xrzzn | Secret: argocd-repo-server-tls | Volume: argocd-repo-server-tls - Issue: Missing secret reference in volume | Namespace: argocd | Pod: argocd-server-54f9645b87-k4rz8 | Secret: argocd-repo-server-tls | Volume: argocd-repo-server-tls - Issue: Missing secret reference in volume | Namespace: argocd | Pod: argocd-server-54f9645b87-k4rz8 | Secret: argocd-dex-server-tls | Volume: argocd-dex-server-tls - Issue: Missing secret reference in volume | Namespace: argocd | Pod: argocd-server-54f9645b87-wwzgz | Secret: argocd-repo-server-tls | Volume: argocd-repo-server-tls - Issue: Missing secret reference in volume | Namespace: argocd | Pod: argocd-server-54f9645b87-wwzgz | Secret: argocd-dex-server-tls | Volume: argocd-dex-server-tls - Issue: Missing secret reference in volume | Namespace: kiali-operator | Pod: kiali-5b88cfb6f8-cm8dz | Secret: kiali | Volume: kiali-secret - Issue: Missing secret reference in volume | Namespace: kube-system | Pod: ama-logs-4v8mz | Secret: ama-logs-adx-secret | Volume: ama-logs-adx-secret - Issue: Missing secret reference in volume | Namespace: kube-system | Pod: ama-logs-5vr2w | Secret: ama-logs-adx-secret | Volume: ama-logs-adx-secret - Issue: Missing secret reference in volume | Namespace: kube-system | Pod: ama-logs-fmd7b | Secret: ama-logs-adx-secret | Volume: ama-logs-adx-secret - Issue: Missing secret reference in volume | Namespace: kube-system | Pod: ama-logs-fpkw6 | Secret: ama-logs-adx-secret | Volume: ama-logs-adx-secret - Issue: Missing secret reference in volume | Namespace: kube-system | Pod: ama-logs-gqs28 | Secret: ama-logs-adx-secret | Volume: ama-logs-adx-secret - Issue: Missing secret reference in volume | Namespace: kube-system | Pod: ama-logs-ndxrw | Secret: ama-logs-adx-secret | Volume: ama-logs-adx-secret - Issue: Missing secret reference in volume | Namespace: kube-system | Pod: ama-logs-rs-64765bd4b9-ldxwl | Secret: ama-logs-adx-secret | Volume: ama-logs-adx-secret - Issue: Missing secret reference in volume | Namespace: kube-system | Pod: ama-metrics-7f878d975f-hlggb | Secret: ama-metrics-mtls-secret | Volume: ama-metrics-tls-secret-volume - Issue: Missing secret reference in volume | Namespace: kube-system | Pod: ama-metrics-7f878d975f-q2mlg | Secret: ama-metrics-mtls-secret | Volume: ama-metrics-tls-secret-volume - Issue: Missing secret reference in volume | Namespace: kube-system | Pod: ama-metrics-node-2ssrw | Secret: ama-metrics-mtls-secret | Volume: ama-metrics-tls-secret-volume - Issue: Missing secret reference in volume | Namespace: kube-system | Pod: ama-metrics-node-6kkz8 | Secret: ama-metrics-mtls-secret | Volume: ama-metrics-tls-secret-volume - Issue: Missing secret reference in volume | Namespace: kube-system | Pod: ama-metrics-node-9h44h | Secret: ama-metrics-mtls-secret | Volume: ama-metrics-tls-secret-volume - Issue: Missing secret reference in volume | Namespace: kube-system | Pod: ama-metrics-node-lhk42 | Secret: ama-metrics-mtls-secret | Volume: ama-metrics-tls-secret-volume - Issue: Missing secret reference in volume | Namespace: kube-system | Pod: ama-metrics-node-nm5bf | Secret: ama-metrics-mtls-secret | Volume: ama-metrics-tls-secret-volume - Issue: Missing secret reference in volume | Namespace: kube-system | Pod: ama-metrics-node-pqcz5 | Secret: ama-metrics-mtls-secret | Volume: ama-metrics-tls-secret-volume - Issue: Missing secret reference in volume | Namespace: kube-system | Pod: ama-metrics-operator-targets-66fb46c8d6-vskdg | Secret: ama-metrics-mtls-secret | Volume: ama-metrics-tls-secret-volume [WRK001 - DaemonSets Not Fully Running] Section: Workloads Category: Workloads Severity: Warning Recommendation: Investigate DaemonSets not fully running. Common causes include taints, node issues, or resource constraints. URL: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ ✅ No issues detected for DaemonSets Not Fully Running. [WRK002 - Deployment Missing Replicas] Section: Workloads Category: Workloads Severity: Warning Recommendation: Check Deployments that are not meeting their replica count. This may indicate rollout issues or failed pods. URL: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ ✅ No issues detected for Deployment Missing Replicas. [WRK003 - StatefulSet Incomplete Rollout] Section: Workloads Category: Workloads Severity: Warning Recommendation: Investigate StatefulSets with missing ready replicas. This may indicate issues with pod readiness or volume binding. URL: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ ✅ No issues detected for StatefulSet Incomplete Rollout. [WRK004 - HPA Misconfiguration or Inactivity] Section: Workloads Category: Workloads Severity: Warning Recommendation: Review HorizontalPodAutoscalers with missing targets, no metrics, or disabled scaling. URL: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ ✅ No issues detected for HPA Misconfiguration or Inactivity. [WRK005 - Missing Resource Requests or Limits] Section: Workloads Category: Workloads Severity: Warning Recommendation: Specify resource requests and limits on all containers. URL: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ⚠️ Total Issues: 94 - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: aks-istio-ingress | Resource: Deployment/aks-istio-ingressgateway-external-asm-1-23 | Value: istio-proxy - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: aks-istio-system | Resource: Deployment/istiod-asm-1-23 | Value: discovery - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: app-routing-system | Resource: Deployment/nginx | Value: controller - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: argo-rollouts | Resource: Deployment/simple-deployment | Value: webserver-simple - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: argo-workflows | Resource: Deployment/simple-deployment | Value: webserver-simple - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: argocd | Resource: Deployment/argocd-applicationset-controller | Value: argocd-applicationset-controller - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: argocd | Resource: Deployment/argocd-dex-server | Value: dex - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: argocd | Resource: Deployment/argocd-dex-server | Value: copyutil - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: argocd | Resource: Deployment/argocd-notifications-controller | Value: argocd-notifications-controller - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: argocd | Resource: Deployment/argocd-redis-ha-haproxy | Value: haproxy - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: argocd | Resource: Deployment/argocd-redis-ha-haproxy | Value: secret-init - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: argocd | Resource: Deployment/argocd-redis-ha-haproxy | Value: config-init - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: argocd | Resource: Deployment/argocd-repo-server | Value: argocd-repo-server - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: argocd | Resource: Deployment/argocd-repo-server | Value: copyutil - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: argocd | Resource: Deployment/argocd-server | Value: argocd-server - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: cert-manager | Resource: Deployment/simple-deployment | Value: webserver-simple - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: gatekeeper-system | Resource: Deployment/gatekeeper-audit | Value: gatekeeper-audit-container - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: gatekeeper-system | Resource: Deployment/gatekeeper-controller | Value: gatekeeper-controller-container - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: grafana | Resource: Deployment/simple-deployment | Value: webserver-simple - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kiali-operator | Resource: Deployment/kiali | Value: kiali - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kiali-operator | Resource: Deployment/kiali-operator | Value: operator - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/ama-logs-rs | Value: ama-logs - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/ama-metrics | Value: prometheus-collector - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/ama-metrics | Value: addon-token-adapter - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/ama-metrics-ksm | Value: ama-metrics-ksm - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/ama-metrics-operator-targets | Value: targetallocator - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/ama-metrics-operator-targets | Value: config-reader - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/azure-policy | Value: azure-policy - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/azure-policy-webhook | Value: azure-policy-webhook - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/azure-wi-webhook-controller-manager | Value: manager - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/coredns | Value: coredns - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/coredns-autoscaler | Value: autoscaler - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/eraser-controller-manager | Value: manager - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/extension-agent | Value: extension-agent - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/extension-agent | Value: fluent-bit - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/extension-operator | Value: manager - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/extension-operator | Value: fluent-bit - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/keda-admission-webhooks | Value: keda-admission-webhooks - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/keda-operator | Value: keda-operator - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/keda-operator-metrics-apiserver | Value: keda-operator-metrics-apiserver - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/konnectivity-agent | Value: konnectivity-agent - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/konnectivity-agent-autoscaler | Value: autoscaler - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/metrics-server | Value: metrics-server-vpa - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/metrics-server | Value: metrics-server - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/microsoft-defender-collector-misc | Value: microsoft-defender-pod-collector - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/vpa-admission-controller | Value: admission-controller - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/vpa-recommender | Value: recommender - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: Deployment/vpa-updater | Value: updater - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kubeview | Resource: Deployment/simple-deployment | Value: webserver-simple - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: linkerd | Resource: Deployment/simple-deployment | Value: webserver-simple - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: nginx | Resource: Deployment/simple-deployment | Value: webserver-simple - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: pets | Resource: Deployment/order-service | Value: order-service - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: pets | Resource: Deployment/order-service | Value: wait-for-rabbitmq - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: pets | Resource: Deployment/product-service | Value: product-service - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: pets | Resource: Deployment/store-front | Value: store-front - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: prometheus | Resource: Deployment/simple-deployment | Value: webserver-simple - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: sealed-secrets | Resource: Deployment/simple-deployment | Value: webserver-simple - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: test | Resource: Deployment/simple-deployment | Value: webserver-simple - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: argocd | Resource: StatefulSet/argocd-application-controller | Value: argocd-application-controller - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: argocd | Resource: StatefulSet/argocd-redis-ha-server | Value: redis - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: argocd | Resource: StatefulSet/argocd-redis-ha-server | Value: sentinel - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: argocd | Resource: StatefulSet/argocd-redis-ha-server | Value: split-brain-fix - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: argocd | Resource: StatefulSet/argocd-redis-ha-server | Value: config-init - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: pets | Resource: StatefulSet/rabbitmq | Value: rabbitmq - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/aks-secrets-store-csi-driver | Value: node-driver-registrar - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/aks-secrets-store-csi-driver | Value: secrets-store - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/aks-secrets-store-csi-driver | Value: liveness-probe - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/aks-secrets-store-csi-driver-windows | Value: node-driver-registrar - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/aks-secrets-store-csi-driver-windows | Value: secrets-store - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/aks-secrets-store-csi-driver-windows | Value: liveness-probe - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/aks-secrets-store-provider-azure | Value: provider-azure-installer - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/aks-secrets-store-provider-azure-windows | Value: provider-azure-installer - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/ama-logs | Value: ama-logs - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/ama-logs | Value: ama-logs-prometheus - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/ama-logs-windows | Value: ama-logs-windows - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/ama-metrics-node | Value: prometheus-collector - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/ama-metrics-node | Value: addon-token-adapter - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/ama-metrics-win-node | Value: prometheus-collector - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/ama-metrics-win-node | Value: addon-token-adapter-win - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/azure-ip-masq-agent | Value: azure-ip-masq-agent - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/azure-npm | Value: azure-npm - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/azure-npm | Value: block-wireserver - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/cloud-node-manager | Value: cloud-node-manager - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/cloud-node-manager-windows | Value: cloud-node-manager - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/kube-proxy | Value: kube-proxy - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/kube-proxy | Value: kube-proxy-bootstrap - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/microsoft-defender-collector-ds | Value: microsoft-defender-pod-collector - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/microsoft-defender-collector-ds | Value: microsoft-defender-low-level-collector - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/microsoft-defender-publisher-ds | Value: microsoft-defender-publisher - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/microsoft-defender-publisher-ds | Value: old-file-cleaner - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/retina-agent | Value: retina - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/retina-agent | Value: retina-agent-init - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/retina-agent-win | Value: retinawin - Message: CPU and Memory Requests and CPU and Memory Limits missing | Namespace: kube-system | Resource: DaemonSet/windows-kube-proxy-initializer | Value: pause [WRK006 - PDB Coverage and Effectiveness] Section: Workloads Category: PDBs Severity: High Recommendation: Workloads should have a valid PDB to prevent availability issues during disruptions. URL: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ⚠️ Total Issues: 25 - Issue: ⚠️ maxUnavailable = 100% | Kind: PDB | Name: nginx | Namespace: app-routing-system - Issue: ❌ No matching PDB | Kind: Deployment | Name: simple-deployment | Namespace: argo-rollouts - Issue: ❌ No matching PDB | Kind: Deployment | Name: simple-deployment | Namespace: argo-workflows - Issue: ❌ No matching PDB | Kind: Deployment | Name: argocd-applicationset-controller | Namespace: argocd - Issue: ❌ No matching PDB | Kind: Deployment | Name: argocd-dex-server | Namespace: argocd - Issue: ❌ No matching PDB | Kind: Deployment | Name: argocd-notifications-controller | Namespace: argocd - Issue: ❌ No matching PDB | Kind: Deployment | Name: argocd-redis-ha-haproxy | Namespace: argocd - Issue: ❌ No matching PDB | Kind: Deployment | Name: argocd-repo-server | Namespace: argocd - Issue: ❌ No matching PDB | Kind: Deployment | Name: argocd-server | Namespace: argocd - Issue: ❌ No matching PDB | Kind: Deployment | Name: simple-deployment | Namespace: cert-manager - Issue: ❌ No matching PDB | Kind: Deployment | Name: simple-deployment | Namespace: grafana - Issue: ❌ No matching PDB | Kind: Deployment | Name: kiali | Namespace: kiali-operator - Issue: ❌ No matching PDB | Kind: Deployment | Name: kiali-operator | Namespace: kiali-operator - Issue: ❌ No matching PDB | Kind: Deployment | Name: simple-deployment | Namespace: kubeview - Issue: ❌ No matching PDB | Kind: Deployment | Name: simple-deployment | Namespace: linkerd - Issue: ❌ No matching PDB | Kind: Deployment | Name: simple-deployment | Namespace: nginx - Issue: ❌ No matching PDB | Kind: Deployment | Name: order-service | Namespace: pets - Issue: ❌ No matching PDB | Kind: Deployment | Name: product-service | Namespace: pets - Issue: ❌ No matching PDB | Kind: Deployment | Name: store-front | Namespace: pets - Issue: ❌ No matching PDB | Kind: Deployment | Name: simple-deployment | Namespace: prometheus - Issue: ❌ No matching PDB | Kind: Deployment | Name: simple-deployment | Namespace: sealed-secrets - Issue: ❌ No matching PDB | Kind: Deployment | Name: simple-deployment | Namespace: test - Issue: ❌ No matching PDB | Kind: StatefulSet | Name: argocd-application-controller | Namespace: argocd - Issue: ❌ No matching PDB | Kind: StatefulSet | Name: argocd-redis-ha-server | Namespace: argocd - Issue: ❌ No matching PDB | Kind: StatefulSet | Name: rabbitmq | Namespace: pets [WRK007 - Missing Readiness and Liveness Probes] Section: Workloads Category: Probes Severity: Medium Recommendation: Add readiness and liveness probes to all containers to improve availability and fault detection. URL: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ ⚠️ Total Issues: 60 - Container: istio-proxy | Kind: Deployment | Missing: readiness, liveness | Namespace: aks-istio-ingress | Workload: aks-istio-ingressgateway-external-asm-1-23 - Container: discovery | Kind: Deployment | Missing: liveness | Namespace: aks-istio-system | Workload: istiod-asm-1-23 - Container: webserver-simple | Kind: Deployment | Missing: readiness, liveness | Namespace: argo-rollouts | Workload: simple-deployment - Container: webserver-simple | Kind: Deployment | Missing: readiness, liveness | Namespace: argo-workflows | Workload: simple-deployment - Container: argocd-applicationset-controller | Kind: Deployment | Missing: readiness, liveness | Namespace: argocd | Workload: argocd-applicationset-controller - Container: dex | Kind: Deployment | Missing: readiness, liveness | Namespace: argocd | Workload: argocd-dex-server - Container: argocd-notifications-controller | Kind: Deployment | Missing: readiness | Namespace: argocd | Workload: argocd-notifications-controller - Container: webserver-simple | Kind: Deployment | Missing: readiness, liveness | Namespace: cert-manager | Workload: simple-deployment - Container: webserver-simple | Kind: Deployment | Missing: readiness, liveness | Namespace: grafana | Workload: simple-deployment - Container: ama-logs | Kind: Deployment | Missing: readiness | Namespace: kube-system | Workload: ama-logs-rs - Container: prometheus-collector | Kind: Deployment | Missing: readiness | Namespace: kube-system | Workload: ama-metrics - Container: addon-token-adapter | Kind: Deployment | Missing: readiness | Namespace: kube-system | Workload: ama-metrics - Container: targetallocator | Kind: Deployment | Missing: readiness | Namespace: kube-system | Workload: ama-metrics-operator-targets - Container: config-reader | Kind: Deployment | Missing: readiness | Namespace: kube-system | Workload: ama-metrics-operator-targets - Container: autoscaler | Kind: Deployment | Missing: readiness | Namespace: kube-system | Workload: coredns-autoscaler - Container: extension-agent | Kind: Deployment | Missing: readiness, liveness | Namespace: kube-system | Workload: extension-agent - Container: fluent-bit | Kind: Deployment | Missing: readiness, liveness | Namespace: kube-system | Workload: extension-agent - Container: manager | Kind: Deployment | Missing: readiness, liveness | Namespace: kube-system | Workload: extension-operator - Container: fluent-bit | Kind: Deployment | Missing: readiness, liveness | Namespace: kube-system | Workload: extension-operator - Container: autoscaler | Kind: Deployment | Missing: readiness | Namespace: kube-system | Workload: konnectivity-agent-autoscaler - Container: metrics-server-vpa | Kind: Deployment | Missing: readiness, liveness | Namespace: kube-system | Workload: metrics-server - Container: microsoft-defender-pod-collector | Kind: Deployment | Missing: readiness, liveness | Namespace: kube-system | Workload: microsoft-defender-collector-misc - Container: admission-controller | Kind: Deployment | Missing: readiness, liveness | Namespace: kube-system | Workload: vpa-admission-controller - Container: recommender | Kind: Deployment | Missing: readiness, liveness | Namespace: kube-system | Workload: vpa-recommender - Container: updater | Kind: Deployment | Missing: readiness, liveness | Namespace: kube-system | Workload: vpa-updater - Container: webserver-simple | Kind: Deployment | Missing: readiness, liveness | Namespace: kubeview | Workload: simple-deployment - Container: webserver-simple | Kind: Deployment | Missing: readiness, liveness | Namespace: linkerd | Workload: simple-deployment - Container: webserver-simple | Kind: Deployment | Missing: readiness, liveness | Namespace: nginx | Workload: simple-deployment - Container: webserver-simple | Kind: Deployment | Missing: readiness, liveness | Namespace: prometheus | Workload: simple-deployment - Container: webserver-simple | Kind: Deployment | Missing: readiness, liveness | Namespace: sealed-secrets | Workload: simple-deployment - Container: webserver-simple | Kind: Deployment | Missing: readiness, liveness | Namespace: test | Workload: simple-deployment - Container: argocd-application-controller | Kind: StatefulSet | Missing: liveness | Namespace: argocd | Workload: argocd-application-controller - Container: split-brain-fix | Kind: StatefulSet | Missing: readiness, liveness | Namespace: argocd | Workload: argocd-redis-ha-server - Container: rabbitmq | Kind: StatefulSet | Missing: readiness, liveness | Namespace: pets | Workload: rabbitmq - Container: node-driver-registrar | Kind: DaemonSet | Missing: readiness | Namespace: kube-system | Workload: aks-secrets-store-csi-driver - Container: secrets-store | Kind: DaemonSet | Missing: readiness | Namespace: kube-system | Workload: aks-secrets-store-csi-driver - Container: liveness-probe | Kind: DaemonSet | Missing: readiness, liveness | Namespace: kube-system | Workload: aks-secrets-store-csi-driver - Container: node-driver-registrar | Kind: DaemonSet | Missing: readiness | Namespace: kube-system | Workload: aks-secrets-store-csi-driver-windows - Container: secrets-store | Kind: DaemonSet | Missing: readiness | Namespace: kube-system | Workload: aks-secrets-store-csi-driver-windows - Container: liveness-probe | Kind: DaemonSet | Missing: readiness, liveness | Namespace: kube-system | Workload: aks-secrets-store-csi-driver-windows - Container: provider-azure-installer | Kind: DaemonSet | Missing: readiness | Namespace: kube-system | Workload: aks-secrets-store-provider-azure - Container: provider-azure-installer | Kind: DaemonSet | Missing: readiness | Namespace: kube-system | Workload: aks-secrets-store-provider-azure-windows - Container: ama-logs | Kind: DaemonSet | Missing: readiness | Namespace: kube-system | Workload: ama-logs - Container: ama-logs-prometheus | Kind: DaemonSet | Missing: readiness | Namespace: kube-system | Workload: ama-logs - Container: ama-logs-windows | Kind: DaemonSet | Missing: readiness | Namespace: kube-system | Workload: ama-logs-windows - Container: prometheus-collector | Kind: DaemonSet | Missing: readiness | Namespace: kube-system | Workload: ama-metrics-node - Container: addon-token-adapter | Kind: DaemonSet | Missing: readiness | Namespace: kube-system | Workload: ama-metrics-node - Container: prometheus-collector | Kind: DaemonSet | Missing: readiness | Namespace: kube-system | Workload: ama-metrics-win-node - Container: addon-token-adapter-win | Kind: DaemonSet | Missing: readiness | Namespace: kube-system | Workload: ama-metrics-win-node - Container: azure-ip-masq-agent | Kind: DaemonSet | Missing: readiness, liveness | Namespace: kube-system | Workload: azure-ip-masq-agent - Container: azure-npm | Kind: DaemonSet | Missing: readiness, liveness | Namespace: kube-system | Workload: azure-npm - Container: cloud-node-manager | Kind: DaemonSet | Missing: readiness, liveness | Namespace: kube-system | Workload: cloud-node-manager - Container: cloud-node-manager | Kind: DaemonSet | Missing: readiness, liveness | Namespace: kube-system | Workload: cloud-node-manager-windows - Container: kube-proxy | Kind: DaemonSet | Missing: readiness, liveness | Namespace: kube-system | Workload: kube-proxy - Container: microsoft-defender-pod-collector | Kind: DaemonSet | Missing: readiness, liveness | Namespace: kube-system | Workload: microsoft-defender-collector-ds - Container: microsoft-defender-low-level-collector | Kind: DaemonSet | Missing: readiness, liveness | Namespace: kube-system | Workload: microsoft-defender-collector-ds - Container: microsoft-defender-publisher | Kind: DaemonSet | Missing: readiness, liveness | Namespace: kube-system | Workload: microsoft-defender-publisher-ds - Container: retina | Kind: DaemonSet | Missing: liveness | Namespace: kube-system | Workload: retina-agent - Container: retinawin | Kind: DaemonSet | Missing: readiness, liveness | Namespace: kube-system | Workload: retina-agent-win - Container: pause | Kind: DaemonSet | Missing: readiness, liveness | Namespace: kube-system | Workload: windows-kube-proxy-initializer [WRK008 - Deployment Selector Without Matching Pods] Section: Workloads Category: Workloads Severity: Medium Recommendation: Ensure that pod labels match the Deployment selector. URL: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ ✅ No issues detected for Deployment Selector Without Matching Pods. [✅ AKS Best Practices Check] [AKSBP001 - Allowed Container Images Policy Enforcement] Category: Best Practices Severity: High Recommendation: Deploy and enforce the 'Only Allowed Images' policy with deny mode to restrict unapproved images. URL: https://learn.microsoft.com/azure/aks/policy-reference ⚠️ Total Issues: 1 - IsReadOnly: False | IsFixedSize: False | IsSynchronized: False | Keys: Issue Resource | Values: The 'Only Allowed Images' policy is either missing or not enforcing deny mode, increasing the risk of running untrusted images. Allowed Container Images Policy Enforcement | SyncRoot: System.Collections.Hashtable | Count: 2 [AKSBP002 - No Privileged Containers Policy Enforcement] Category: Best Practices Severity: High Recommendation: Deploy and enforce the 'No Privileged Containers' policy in deny mode to block privileged containers and enhance security. URL: https://learn.microsoft.com/azure/aks/policy-reference ⚠️ Total Issues: 1 - IsReadOnly: False | IsFixedSize: False | IsSynchronized: False | Keys: Issue Resource | Values: The 'No Privileged Containers' policy is either missing or not enforcing deny mode, allowing potentially insecure workloads. No Privileged Containers Policy Enforcement | SyncRoot: System.Collections.Hashtable | Count: 2 [AKSBP003 - Multiple Node Pools] Category: Best Practices Severity: Medium Recommendation: Multiple Node Pools is enabled. URL: https://learn.microsoft.com/azure/aks/use-multiple-node-pools ✅ No issues detected for Multiple Node Pools. [AKSBP004 - Azure Linux as Host OS] Category: Best Practices Severity: High Recommendation: Azure Linux as Host OS is enabled. URL: https://learn.microsoft.com/azure/aks/use-azure-linux ✅ No issues detected for Azure Linux as Host OS. [AKSBP005 - Ephemeral OS Disks Enabled] Category: Best Practices Severity: Medium Recommendation: Ephemeral OS Disks Enabled is enabled. URL: https://learn.microsoft.com/azure/aks/concepts-storage#ephemeral-os-disk ✅ No issues detected for Ephemeral OS Disks Enabled. [AKSBP006 - Non-Ephemeral Disks with Adequate Size] Category: Best Practices Severity: Medium Recommendation: Non-Ephemeral Disks with Adequate Size is enabled. URL: https://learn.microsoft.com/azure/aks/concepts-storage#managed-os-disks ✅ No issues detected for Non-Ephemeral Disks with Adequate Size. [AKSBP007 - System Node Pool Taint] Category: Best Practices Severity: High Recommendation: System Node Pool Taint is enabled. URL: https://learn.microsoft.com/azure/aks/use-system-pools?tabs=azure-cli#system-and-user-node-pools ✅ No issues detected for System Node Pool Taint. [AKSBP008 - Auto Upgrade Channel Configured] Category: Best Practices Severity: Medium Recommendation: Auto Upgrade Channel Configured is enabled. URL: https://learn.microsoft.com/azure/aks/auto-upgrade-cluster?tabs=azure-cli ✅ No issues detected for Auto Upgrade Channel Configured. [AKSBP009 - Node OS Upgrade Channel Configured] Category: Best Practices Severity: Medium Recommendation: Node OS Upgrade Channel Configured is enabled. URL: https://learn.microsoft.com/azure/aks/auto-upgrade-node-os-image?tabs=azure-cli ✅ No issues detected for Node OS Upgrade Channel Configured. [AKSBP010 - Customized MC_ Resource Group Name] Category: Best Practices Severity: Medium Recommendation: Customized MC_ Resource Group Name is enabled. URL: https://learn.microsoft.com/azure/aks/faq#can-i-provide-my-own-name-for-the-aks-node-resource-group- ✅ No issues detected for Customized MC_ Resource Group Name. [AKSBP011 - System Node Pool Minimum Size] Category: Best Practices Severity: High Recommendation: System Node Pool Minimum Size is enabled. URL: https://learn.microsoft.com/azure/aks/use-system-pools?tabs=azure-cli#recommendations ✅ No issues detected for System Node Pool Minimum Size. [AKSBP012 - Node Pool Version Matches Control Plane] Category: Best Practices Severity: Medium Recommendation: Node Pool Version Matches Control Plane is enabled. URL: https://learn.microsoft.com/azure/aks/upgrade-cluster#check-the-current-kubernetes-version ✅ No issues detected for Node Pool Version Matches Control Plane. [AKSDR001 - Agent Pools with Availability Zones] Category: Disaster Recovery Severity: High Recommendation: Agent Pools with Availability Zones is enabled. URL: https://learn.microsoft.com/azure/aks/availability-zones ✅ No issues detected for Agent Pools with Availability Zones. [AKSDR002 - Control Plane SLA] Category: Disaster Recovery Severity: Medium Recommendation: Control Plane SLA is enabled. URL: https://learn.microsoft.com/azure/aks/free-standard-pricing-tiers ✅ No issues detected for Control Plane SLA. [AKSSEC001 - Private Cluster] Category: Security Severity: High Recommendation: Configure the cluster as a private cluster to restrict API server access to your virtual network. URL: https://learn.microsoft.com/azure/aks/private-clusters ⚠️ Total Issues: 1 - IsReadOnly: False | IsFixedSize: False | IsSynchronized: False | Keys: Issue Resource | Values: Cluster API server is publicly accessible, increasing security risks. Private Cluster | SyncRoot: System.Collections.Hashtable | Count: 2 [AKSSEC002 - Azure Policy Add-on] Category: Security Severity: Medium Recommendation: Azure Policy Add-on is enabled. URL: https://learn.microsoft.com/azure/aks/policy-reference ✅ No issues detected for Azure Policy Add-on. [AKSSEC003 - Defender for Containers] Category: Security Severity: High Recommendation: Defender for Containers is enabled. URL: https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction ✅ No issues detected for Defender for Containers. [AKSSEC004 - OIDC Issuer Enabled] Category: Security Severity: Medium Recommendation: OIDC Issuer Enabled is enabled. URL: https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster ✅ No issues detected for OIDC Issuer Enabled. [AKSSEC005 - Azure Key Vault Integration] Category: Security Severity: High Recommendation: Azure Key Vault Integration is enabled. URL: https://learn.microsoft.com/azure/aks/csi-secrets-store-driver ✅ No issues detected for Azure Key Vault Integration. [AKSSEC006 - Image Cleaner Enabled] Category: Security Severity: Medium Recommendation: Image Cleaner Enabled is enabled. URL: https://learn.microsoft.com/azure/aks/image-cleaner ✅ No issues detected for Image Cleaner Enabled. [AKSSEC007 - Kubernetes Dashboard Disabled] Category: Security Severity: High Recommendation: Kubernetes Dashboard Disabled is enabled. URL: https://learn.microsoft.com/azure/aks/kubernetes-dashboard ✅ No issues detected for Kubernetes Dashboard Disabled. [AKSSEC08 - Pod Security Admission Enabled] Category: Security Severity: High Recommendation: Enable Pod Security Admission by setting 'podSecurityAdmissionConfiguration' during cluster creation or via supported upgrade path. URL: https://learn.microsoft.com/en-us/azure/aks/use-psa ⚠️ Total Issues: 1 - IsReadOnly: False | IsFixedSize: False | IsSynchronized: False | Keys: Issue Resource | Values: Pod Security Admission is not enabled on this cluster. This may reduce baseline pod security. Pod Security Admission Enabled | SyncRoot: System.Collections.Hashtable | Count: 2 [AKSMON001 - Azure Monitor] Category: Monitoring & Logging Severity: High Recommendation: Azure Monitor is enabled. URL: https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-overview ✅ No issues detected for Azure Monitor. [AKSMON002 - Managed Prometheus Enabled] Category: Monitoring & Logging Severity: High Recommendation: Managed Prometheus Enabled is enabled. URL: https://learn.microsoft.com/azure/azure-monitor/essentials/prometheus-metrics-overview ✅ No issues detected for Managed Prometheus Enabled. [AKSNET001 - Authorized IP Ranges] Category: Networking Severity: High Recommendation: Authorized IP Ranges is enabled. URL: https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-security#secure-access-to-the-api-server-and-cluster-nodes ✅ No issues detected for Authorized IP Ranges. [AKSNET002 - Network Policy Check] Category: Networking Severity: Medium Recommendation: Network Policy Check is enabled. URL: https://learn.microsoft.com/azure/aks/operator-best-practices-network#control-traffic-flow-with-network-policies ✅ No issues detected for Network Policy Check. [AKSNET003 - Web App Routing Enabled] Category: Networking Severity: Low Recommendation: Web App Routing Enabled is enabled. URL: https://learn.microsoft.com/azure/aks/web-app-routing ✅ No issues detected for Web App Routing Enabled. [AKSNET004 - Azure CNI Networking Recommended] Category: Networking Severity: Medium Recommendation: Azure CNI Networking Recommended is enabled. URL: https://learn.microsoft.com/azure/aks/concepts-network#networking-options ✅ No issues detected for Azure CNI Networking Recommended. [AKSRES001 - Cluster Autoscaler] Category: Resource Management Severity: Medium Recommendation: Cluster Autoscaler is enabled. URL: https://learn.microsoft.com/azure/aks/cluster-autoscaler ✅ No issues detected for Cluster Autoscaler. [AKSRES002 - AKS Built-in Cost Tooling Enabled] Category: Resource Management Severity: Medium Recommendation: Enable cost analysis in the AKS metrics profile to gain insights into resource spending and optimize cost management. URL: https://learn.microsoft.com/azure/aks/cost-analysis ⚠️ Total Issues: 1 - IsReadOnly: False | IsFixedSize: False | IsSynchronized: False | Keys: Issue Resource | Values: AKS built-in cost tooling (Open Costs) is not enabled, making cost allocation and optimization harder. AKS Built-in Cost Tooling Enabled | SyncRoot: System.Collections.Hashtable | Count: 2 [AKSRES003 - Vertical Pod Autoscaler (VPA) is enabled] Category: Resource Management Severity: Medium Recommendation: Vertical Pod Autoscaler (VPA) is enabled is enabled. URL: https://learn.microsoft.com/azure/aks/vertical-pod-autoscaler ✅ No issues detected for Vertical Pod Autoscaler (VPA) is enabled. [AKSIAM001 - RBAC Enabled] Category: Identity & Access Severity: High Recommendation: RBAC Enabled is enabled. URL: https://learn.microsoft.com/azure/aks/manage-azure-rbac?tabs=azure-cli ✅ No issues detected for RBAC Enabled. [AKSIAM002 - Managed Identity] Category: Identity & Access Severity: High Recommendation: Managed Identity is enabled. URL: https://learn.microsoft.com/azure/aks/use-managed-identity ✅ No issues detected for Managed Identity. [AKSIAM003 - Workload Identity Enabled] Category: Identity & Access Severity: Medium Recommendation: Workload Identity Enabled is enabled. URL: https://learn.microsoft.com/azure/aks/workload-identity-overview ✅ No issues detected for Workload Identity Enabled. [AKSIAM004 - Managed Identity Used] Category: Identity & Access Severity: High Recommendation: Managed Identity Used is enabled. URL: https://learn.microsoft.com/azure/aks/use-managed-identity ✅ No issues detected for Managed Identity Used. [AKSIAM005 - AAD RBAC Authorization Integrated] Category: Identity & Access Severity: High Recommendation: AAD RBAC Authorization Integrated is enabled. URL: https://learn.microsoft.com/azure/aks/enable-authentication-microsoft-entra-id ✅ No issues detected for AAD RBAC Authorization Integrated. [AKSIAM006 - AAD Managed Authentication Enabled] Category: Identity & Access Severity: High Recommendation: AAD Managed Authentication Enabled is enabled. URL: https://learn.microsoft.com/azure/aks/manage-azure-rbac?tabs=azure-cli ✅ No issues detected for AAD Managed Authentication Enabled. [AKSIAM007 - Local Accounts Disabled] Category: Identity & Access Severity: High Recommendation: Local Accounts Disabled is enabled. URL: https://learn.microsoft.com/azure/aks/manage-local-accounts-managed-azure-ad ✅ No issues detected for Local Accounts Disabled. Summary & Rating: Passed Failed Total Score (%) Rating ============================================================ ✅ 33 ❌ 5 38 86.84 B 🩺 Cluster Health Score: 37 / 100 |