cluster_role_binding_default_service_account_binding_not_activecluster_role_with_validating_or_mutating_admission_webhook_configurationsconfig_map_default_namespace_usedcronjob_container_admission_capability_restrictedcronjob_container_admission_control_plugin_always_pull_imagescronjob_container_admission_control_plugin_no_always_admitcronjob_container_arg_peer_client_cert_auth_enabledcronjob_container_argument_anonymous_auth_disabledcronjob_container_argument_audit_log_maxage_greater_than_30cronjob_container_argument_audit_log_maxbackup_greater_than_10cronjob_container_argument_audit_log_maxsize_greater_than_100cronjob_container_argument_audit_log_path_configuredcronjob_container_argument_authorization_mode_no_always_allowcronjob_container_argument_authorization_mode_nodecronjob_container_argument_authorization_mode_rbaccronjob_container_argument_etcd_auto_tls_disabledcronjob_container_argument_etcd_cafile_configuredcronjob_container_argument_etcd_certfile_and_keyfile_configuredcronjob_container_argument_etcd_client_cert_auth_enabledcronjob_container_argument_etcd_peer_certfile_and_peer_keyfile_configuredcronjob_container_argument_event_qps_less_than_5cronjob_container_argument_insecure_port_0cronjob_container_argument_kube_apiserver_etcd_certfile_and_keyfile_configuredcronjob_container_argument_kube_apiserver_profiling_disabledcronjob_container_argument_kube_apiserver_tls_cert_file_and_tls_private_key_file_configuredcronjob_container_argument_kube_controller_manager_bind_address_127_0_0_1cronjob_container_argument_kube_controller_manager_profiling_disabledcronjob_container_argument_kube_controller_manager_root_ca_file_configuredcronjob_container_argument_kube_controller_manager_service_account_credentials_enabledcronjob_container_argument_kube_controller_manager_service_account_private_key_file_configuredcronjob_container_argument_kube_scheduler_bind_address_127_0_0_1cronjob_container_argument_kube_scheduler_profiling_disabledcronjob_container_argument_kubelet_authorization_mode_no_always_allowcronjob_container_argument_kubelet_client_ca_file_configuredcronjob_container_argument_kubelet_client_certificate_and_key_configuredcronjob_container_argument_kubelet_https_enabledcronjob_container_argument_kubelet_read_only_port_0cronjob_container_argument_kubelet_terminated_pod_gc_threshold_configuredcronjob_container_argument_kubelet_tls_cert_file_and_tls_private_key_file_configuredcronjob_container_argument_make_iptables_util_chains_enabledcronjob_container_argument_namespace_lifecycle_enabledcronjob_container_argument_node_restriction_enabledcronjob_container_argument_pod_security_policy_enabledcronjob_container_argument_protect_kernel_defaults_enabledcronjob_container_argument_request_timeout_appropriatecronjob_container_argument_rotate_kubelet_server_certificate_enabledcronjob_container_argument_secure_port_not_0cronjob_container_argument_security_context_deny_enabledcronjob_container_argument_service_account_enabledcronjob_container_argument_service_account_key_file_appropriatecronjob_container_argument_service_account_lookup_enabledcronjob_container_capabilities_drop_allcronjob_container_encryption_providers_configuredcronjob_container_host_port_not_specifiedcronjob_container_image_pull_policy_alwayscronjob_container_image_tag_specifiedcronjob_container_kubelet_certificate_authority_configuredcronjob_container_kubernetes_dashboard_not_deployedcronjob_container_liveness_probecronjob_container_no_argument_basic_auth_filecronjob_container_no_argument_hostname_override_configuredcronjob_container_no_argument_insecure_bind_addresscronjob_container_privilege_disabledcronjob_container_privilege_escalation_disabledcronjob_container_privilege_port_mappedcronjob_container_readiness_probecronjob_container_rotate_certificate_enabledcronjob_container_secrets_defined_as_filescronjob_container_security_context_existscronjob_container_streaming_connection_idle_timeout_not_zerocronjob_container_strong_kube_apiserver_cryptographic_cipherscronjob_container_strong_kubelet_cryptographic_cipherscronjob_container_sys_admin_capability_disabledcronjob_container_token_auth_file_not_configuredcronjob_container_with_added_capabilitiescronjob_cpu_limitcronjob_cpu_requestcronjob_default_namespace_usedcronjob_default_seccomp_profile_enabledcronjob_host_network_access_disabledcronjob_hostpid_hostipc_sharing_disabledcronjob_immutable_container_filesystemcronjob_memory_limitcronjob_memory_requestcronjob_non_root_containerdaemonset_container_admission_capability_restricteddaemonset_container_admission_control_plugin_always_pull_imagesdaemonset_container_admission_control_plugin_no_always_admitdaemonset_container_arg_peer_client_cert_auth_enableddaemonset_container_argument_anonymous_auth_disableddaemonset_container_argument_audit_log_maxage_greater_than_30daemonset_container_argument_audit_log_maxbackup_greater_than_10daemonset_container_argument_audit_log_maxsize_greater_than_100daemonset_container_argument_audit_log_path_configureddaemonset_container_argument_authorization_mode_no_always_allowdaemonset_container_argument_authorization_mode_nodedaemonset_container_argument_authorization_mode_rbacdaemonset_container_argument_etcd_auto_tls_disableddaemonset_container_argument_etcd_cafile_configureddaemonset_container_argument_etcd_certfile_and_keyfile_configureddaemonset_container_argument_etcd_client_cert_auth_enableddaemonset_container_argument_etcd_peer_certfile_and_peer_keyfile_configureddaemonset_container_argument_event_qps_less_than_5daemonset_container_argument_insecure_port_0daemonset_container_argument_kube_apiserver_etcd_certfile_and_keyfile_configureddaemonset_container_argument_kube_apiserver_profiling_disableddaemonset_container_argument_kube_apiserver_tls_cert_file_and_tls_private_key_file_configureddaemonset_container_argument_kube_controller_manager_bind_address_127_0_0_1daemonset_container_argument_kube_controller_manager_profiling_disableddaemonset_container_argument_kube_controller_manager_root_ca_file_configureddaemonset_container_argument_kube_controller_manager_service_account_credentials_enableddaemonset_container_argument_kube_controller_manager_service_account_private_key_file_configureddaemonset_container_argument_kube_scheduler_bind_address_127_0_0_1daemonset_container_argument_kube_scheduler_profiling_disableddaemonset_container_argument_kubelet_authorization_mode_no_always_allowdaemonset_container_argument_kubelet_client_ca_file_configureddaemonset_container_argument_kubelet_client_certificate_and_key_configureddaemonset_container_argument_kubelet_https_enableddaemonset_container_argument_kubelet_read_only_port_0daemonset_container_argument_kubelet_terminated_pod_gc_threshold_configureddaemonset_container_argument_kubelet_tls_cert_file_and_tls_private_key_file_configureddaemonset_container_argument_make_iptables_util_chains_enableddaemonset_container_argument_namespace_lifecycle_enableddaemonset_container_argument_node_restriction_enableddaemonset_container_argument_pod_security_policy_enableddaemonset_container_argument_protect_kernel_defaults_enableddaemonset_container_argument_request_timeout_appropriatedaemonset_container_argument_rotate_kubelet_server_certificate_enableddaemonset_container_argument_secure_port_not_0daemonset_container_argument_security_context_deny_enableddaemonset_container_argument_service_account_enableddaemonset_container_argument_service_account_key_file_appropriatedaemonset_container_argument_service_account_lookup_enableddaemonset_container_capabilities_drop_alldaemonset_container_encryption_providers_configureddaemonset_container_host_port_not_specifieddaemonset_container_image_pull_policy_alwaysdaemonset_container_image_tag_specifieddaemonset_container_kubelet_certificate_authority_configureddaemonset_container_kubernetes_dashboard_not_deployeddaemonset_container_liveness_probedaemonset_container_no_argument_basic_auth_filedaemonset_container_no_argument_hostname_override_configureddaemonset_container_no_argument_insecure_bind_addressdaemonset_container_privilege_disableddaemonset_container_privilege_escalation_disableddaemonset_container_privilege_port_mappeddaemonset_container_readiness_probedaemonset_container_rotate_certificate_enableddaemonset_container_secrets_defined_as_filesdaemonset_container_security_context_existsdaemonset_container_streaming_connection_idle_timeout_not_zerodaemonset_container_strong_kube_apiserver_cryptographic_ciphersdaemonset_container_strong_kubelet_cryptographic_ciphersdaemonset_container_sys_admin_capability_disableddaemonset_container_token_auth_file_not_configureddaemonset_container_with_added_capabilitiesdaemonset_cpu_limitdaemonset_cpu_requestdaemonset_default_namespace_useddaemonset_default_seccomp_profile_enableddaemonset_host_network_access_disableddaemonset_hostpid_hostipc_sharing_disableddaemonset_immutable_container_filesystemdaemonset_memory_limitdaemonset_memory_requestdaemonset_non_root_containerdeployment_container_admission_capability_restricteddeployment_container_admission_control_plugin_always_pull_imagesdeployment_container_admission_control_plugin_no_always_admitdeployment_container_arg_peer_client_cert_auth_enableddeployment_container_argument_anonymous_auth_disableddeployment_container_argument_audit_log_maxage_greater_than_30deployment_container_argument_audit_log_maxbackup_greater_than_10deployment_container_argument_audit_log_maxsize_greater_than_100deployment_container_argument_audit_log_path_configureddeployment_container_argument_authorization_mode_no_always_allowdeployment_container_argument_authorization_mode_nodedeployment_container_argument_authorization_mode_rbacdeployment_container_argument_etcd_auto_tls_disableddeployment_container_argument_etcd_cafile_configureddeployment_container_argument_etcd_certfile_and_keyfile_configureddeployment_container_argument_etcd_client_cert_auth_enableddeployment_container_argument_etcd_peer_certfile_and_peer_keyfile_configureddeployment_container_argument_event_qps_less_than_5deployment_container_argument_insecure_port_0deployment_container_argument_kube_apiserver_etcd_certfile_and_keyfile_configureddeployment_container_argument_kube_apiserver_profiling_disableddeployment_container_argument_kube_apiserver_tls_cert_file_and_tls_private_key_file_configureddeployment_container_argument_kube_controller_manager_bind_address_127_0_0_1deployment_container_argument_kube_controller_manager_profiling_disableddeployment_container_argument_kube_controller_manager_root_ca_file_configureddeployment_container_argument_kube_controller_manager_service_account_credentials_enableddeployment_container_argument_kube_controller_manager_service_account_private_key_file_configureddeployment_container_argument_kube_scheduler_bind_address_127_0_0_1deployment_container_argument_kube_scheduler_profiling_disableddeployment_container_argument_kubelet_authorization_mode_no_always_allowdeployment_container_argument_kubelet_client_ca_file_configureddeployment_container_argument_kubelet_client_certificate_and_key_configureddeployment_container_argument_kubelet_https_enableddeployment_container_argument_kubelet_read_only_port_0deployment_container_argument_kubelet_terminated_pod_gc_threshold_configureddeployment_container_argument_kubelet_tls_cert_file_and_tls_private_key_file_configureddeployment_container_argument_make_iptables_util_chains_enableddeployment_container_argument_namespace_lifecycle_enableddeployment_container_argument_node_restriction_enableddeployment_container_argument_pod_security_policy_enableddeployment_container_argument_protect_kernel_defaults_enableddeployment_container_argument_request_timeout_appropriatedeployment_container_argument_rotate_kubelet_server_certificate_enableddeployment_container_argument_secure_port_not_0deployment_container_argument_security_context_deny_enableddeployment_container_argument_service_account_enableddeployment_container_argument_service_account_key_file_appropriatedeployment_container_argument_service_account_lookup_enableddeployment_container_capabilities_drop_alldeployment_container_encryption_providers_configureddeployment_container_host_port_not_specifieddeployment_container_image_pull_policy_alwaysdeployment_container_image_tag_specifieddeployment_container_kubelet_certificate_authority_configureddeployment_container_kubernetes_dashboard_not_deployeddeployment_container_liveness_probedeployment_container_no_argument_basic_auth_filedeployment_container_no_argument_hostname_override_configureddeployment_container_no_argument_insecure_bind_addressdeployment_container_privilege_disableddeployment_container_privilege_escalation_disableddeployment_container_privilege_port_mappeddeployment_container_readiness_probedeployment_container_rotate_certificate_enableddeployment_container_secrets_defined_as_filesdeployment_container_security_context_existsdeployment_container_streaming_connection_idle_timeout_not_zerodeployment_container_strong_kube_apiserver_cryptographic_ciphersdeployment_container_strong_kubelet_cryptographic_ciphersdeployment_container_sys_admin_capability_disableddeployment_container_token_auth_file_not_configureddeployment_container_with_added_capabilitiesdeployment_cpu_limitdeployment_cpu_requestdeployment_default_namespace_useddeployment_default_seccomp_profile_enableddeployment_host_network_access_disableddeployment_hostpid_hostipc_sharing_disableddeployment_immutable_container_filesystemdeployment_memory_limitdeployment_memory_requestdeployment_non_root_containerdeployment_replica_minimum_3endpoint_api_serve_on_secure_portingress_default_namespace_usedingress_nginx_annotations_all_snippets_not_usedingress_nginx_annotations_snippets_alias_not_usedingress_nginx_annotations_snippets_lua_code_not_usedjob_container_admission_capability_restrictedjob_container_admission_control_plugin_always_pull_imagesjob_container_admission_control_plugin_no_always_admitjob_container_arg_peer_client_cert_auth_enabledjob_container_argument_anonymous_auth_disabledjob_container_argument_audit_log_maxage_greater_than_30job_container_argument_audit_log_maxbackup_greater_than_10job_container_argument_audit_log_maxsize_greater_than_100job_container_argument_audit_log_path_configuredjob_container_argument_authorization_mode_no_always_allowjob_container_argument_authorization_mode_nodejob_container_argument_authorization_mode_rbacjob_container_argument_etcd_auto_tls_disabledjob_container_argument_etcd_cafile_configuredjob_container_argument_etcd_certfile_and_keyfile_configuredjob_container_argument_etcd_client_cert_auth_enabledjob_container_argument_etcd_peer_certfile_and_peer_keyfile_configuredjob_container_argument_event_qps_less_than_5job_container_argument_insecure_port_0job_container_argument_kube_apiserver_etcd_certfile_and_keyfile_configuredjob_container_argument_kube_apiserver_profiling_disabledjob_container_argument_kube_apiserver_tls_cert_file_and_tls_private_key_file_configuredjob_container_argument_kube_controller_manager_bind_address_127_0_0_1job_container_argument_kube_controller_manager_profiling_disabledjob_container_argument_kube_controller_manager_root_ca_file_configuredjob_container_argument_kube_controller_manager_service_account_credentials_enabledjob_container_argument_kube_controller_manager_service_account_private_key_file_configuredjob_container_argument_kube_scheduler_bind_address_127_0_0_1job_container_argument_kube_scheduler_profiling_disabledjob_container_argument_kubelet_authorization_mode_no_always_allowjob_container_argument_kubelet_client_ca_file_configuredjob_container_argument_kubelet_client_certificate_and_key_configuredjob_container_argument_kubelet_https_enabledjob_container_argument_kubelet_read_only_port_0job_container_argument_kubelet_terminated_pod_gc_threshold_configuredjob_container_argument_kubelet_tls_cert_file_and_tls_private_key_file_configuredjob_container_argument_make_iptables_util_chains_enabledjob_container_argument_namespace_lifecycle_enabledjob_container_argument_node_restriction_enabledjob_container_argument_pod_security_policy_enabledjob_container_argument_protect_kernel_defaults_enabledjob_container_argument_request_timeout_appropriatejob_container_argument_rotate_kubelet_server_certificate_enabledjob_container_argument_secure_port_not_0job_container_argument_security_context_deny_enabledjob_container_argument_service_account_enabledjob_container_argument_service_account_key_file_appropriatejob_container_argument_service_account_lookup_enabledjob_container_capabilities_drop_alljob_container_encryption_providers_configuredjob_container_host_port_not_specifiedjob_container_image_pull_policy_alwaysjob_container_image_tag_specifiedjob_container_kubelet_certificate_authority_configuredjob_container_kubernetes_dashboard_not_deployedjob_container_liveness_probejob_container_no_argument_basic_auth_filejob_container_no_argument_hostname_override_configuredjob_container_no_argument_insecure_bind_addressjob_container_privilege_disabledjob_container_privilege_escalation_disabledjob_container_privilege_port_mappedjob_container_readiness_probejob_container_rotate_certificate_enabledjob_container_secrets_defined_as_filesjob_container_security_context_existsjob_container_streaming_connection_idle_timeout_not_zerojob_container_strong_kube_apiserver_cryptographic_ciphersjob_container_strong_kubelet_cryptographic_ciphersjob_container_sys_admin_capability_disabledjob_container_token_auth_file_not_configuredjob_container_with_added_capabilitiesjob_cpu_limitjob_cpu_requestjob_default_namespace_usedjob_default_seccomp_profile_enabledjob_host_network_access_disabledjob_hostpid_hostipc_sharing_disabledjob_immutable_container_filesystemjob_memory_limitjob_memory_requestjob_non_root_containernamespace_limit_range_default_cpu_limitnamespace_limit_range_default_cpu_requestnamespace_limit_range_default_memory_limitnamespace_limit_range_default_memory_requestnamespace_resource_quota_cpu_limitnamespace_resource_quota_cpu_requestnamespace_resource_quota_memory_limitnamespace_resource_quota_memory_requestnetwork_policy_default_deny_egressnetwork_policy_default_deny_ingressnetwork_policy_default_dont_allow_egressnetwork_policy_default_dont_allow_ingresspod_container_admission_capability_restrictedpod_container_admission_control_plugin_always_pull_imagespod_container_admission_control_plugin_no_always_admitpod_container_arg_peer_client_cert_auth_enabledpod_container_argument_anonymous_auth_disabledpod_container_argument_audit_log_maxage_greater_than_30pod_container_argument_audit_log_maxbackup_greater_than_10pod_container_argument_audit_log_maxsize_greater_than_100pod_container_argument_audit_log_path_configuredpod_container_argument_authorization_mode_no_always_allowpod_container_argument_authorization_mode_nodepod_container_argument_authorization_mode_rbacpod_container_argument_etcd_auto_tls_disabledpod_container_argument_etcd_cafile_configuredpod_container_argument_etcd_certfile_and_keyfile_configuredpod_container_argument_etcd_client_cert_auth_enabledpod_container_argument_etcd_peer_certfile_and_peer_keyfile_configuredpod_container_argument_event_qps_less_than_5pod_container_argument_insecure_port_0pod_container_argument_kube_apiserver_etcd_certfile_and_keyfile_configuredpod_container_argument_kube_apiserver_profiling_disabledpod_container_argument_kube_apiserver_tls_cert_file_and_tls_private_key_file_configuredpod_container_argument_kube_controller_manager_bind_address_127_0_0_1pod_container_argument_kube_controller_manager_profiling_disabledpod_container_argument_kube_controller_manager_root_ca_file_configuredpod_container_argument_kube_controller_manager_service_account_credentials_enabledpod_container_argument_kube_controller_manager_service_account_private_key_file_configuredpod_container_argument_kube_scheduler_bind_address_127_0_0_1pod_container_argument_kube_scheduler_profiling_disabledpod_container_argument_kubelet_authorization_mode_no_always_allowpod_container_argument_kubelet_client_ca_file_configuredpod_container_argument_kubelet_client_certificate_and_key_configuredpod_container_argument_kubelet_https_enabledpod_container_argument_kubelet_read_only_port_0pod_container_argument_kubelet_terminated_pod_gc_threshold_configuredpod_container_argument_kubelet_tls_cert_file_and_tls_private_key_file_configuredpod_container_argument_make_iptables_util_chains_enabledpod_container_argument_namespace_lifecycle_enabledpod_container_argument_node_restriction_enabledpod_container_argument_pod_security_policy_enabledpod_container_argument_protect_kernel_defaults_enabledpod_container_argument_request_timeout_appropriatepod_container_argument_rotate_kubelet_server_certificate_enabledpod_container_argument_secure_port_not_0pod_container_argument_security_context_deny_enabledpod_container_argument_service_account_enabledpod_container_argument_service_account_key_file_appropriatepod_container_argument_service_account_lookup_enabledpod_container_capabilities_drop_allpod_container_encryption_providers_configuredpod_container_host_port_not_specifiedpod_container_image_pull_policy_alwayspod_container_image_tag_specifiedpod_container_kubelet_certificate_authority_configuredpod_container_kubernetes_dashboard_not_deployedpod_container_liveness_probepod_container_memory_limitpod_container_memory_requestpod_container_no_argument_basic_auth_filepod_container_no_argument_hostname_override_configuredpod_container_no_argument_insecure_bind_addresspod_container_privilege_disabledpod_container_privilege_escalation_disabledpod_container_privilege_port_mappedpod_container_readiness_probepod_container_rotate_certificate_enabledpod_container_run_as_user_10000pod_container_secrets_defined_as_filespod_container_security_context_existspod_container_streaming_connection_idle_timeout_not_zeropod_container_strong_kube_apiserver_cryptographic_cipherspod_container_strong_kubelet_cryptographic_cipherspod_container_sys_admin_capability_disabledpod_container_token_auth_file_not_configuredpod_container_with_added_capabilitiespod_default_namespace_usedpod_default_seccomp_profile_enabledpod_host_network_access_disabledpod_hostpid_hostipc_sharing_disabledpod_immutable_container_filesystempod_non_root_containerpod_security_policy_allowed_host_pathpod_security_policy_container_privilege_disabledpod_security_policy_container_privilege_escalation_disabledpod_security_policy_default_seccomp_profile_enabledpod_security_policy_host_network_access_disabledpod_security_policy_hostipc_sharing_disabledpod_security_policy_hostpid_hostipc_sharing_disabledpod_security_policy_hostpid_sharing_disabledpod_security_policy_immutable_container_filesystempod_security_policy_non_root_containerpod_security_policy_security_services_hardeningpod_service_account_not_existpod_service_account_token_disabledpod_service_account_token_enabledpod_template_container_admission_capability_restrictedpod_template_container_admission_control_plugin_always_pull_imagespod_template_container_admission_control_plugin_no_always_admitpod_template_container_argument_api_server_anonymous_auth_disabledpod_template_container_argument_api_server_etcd_certfile_and_keyfile_configuredpod_template_container_argument_audit_log_maxage_greater_than_30pod_template_container_argument_audit_log_maxbackup_greater_than_10pod_template_container_argument_audit_log_maxsize_greater_than_100pod_template_container_argument_audit_log_path_configuredpod_template_container_argument_authorization_mode_no_always_allowpod_template_container_argument_authorization_mode_nodepod_template_container_argument_authorization_mode_rbacpod_template_container_argument_bind_address_127_0_0_1pod_template_container_argument_etcd_auto_tls_disabledpod_template_container_argument_etcd_cafile_configuredpod_template_container_argument_etcd_certfile_and_keyfile_configuredpod_template_container_argument_etcd_client_cert_auth_enabledpod_template_container_argument_etcd_peer_certfile_and_peer_keyfile_configuredpod_template_container_argument_event_qps_less_than_5pod_template_container_argument_insecure_port_0pod_template_container_argument_kube_apiserver_profiling_disabledpod_template_container_argument_kube_apiserver_tls_cert_file_and_tls_private_key_file_configuredpod_template_container_argument_kube_controller_manager_bind_address_127_0_0_1pod_template_container_argument_kube_controller_manager_profiling_disabledpod_template_container_argument_kube_controller_manager_root_ca_file_configuredpod_template_container_argument_kube_controller_manager_service_account_credentials_enabledpod_template_container_argument_kube_controller_manager_service_account_private_key_file_configuredpod_template_container_argument_kube_scheduler_profiling_disabledpod_template_container_argument_kubelet_anonymous_auth_disabledpod_template_container_argument_kubelet_authorization_mode_no_always_allowpod_template_container_argument_kubelet_client_ca_file_configuredpod_template_container_argument_kubelet_client_certificate_and_key_configuredpod_template_container_argument_kubelet_https_enabledpod_template_container_argument_kubelet_read_only_port_0pod_template_container_argument_kubelet_terminated_pod_gc_threshold_configuredpod_template_container_argument_make_iptables_util_chains_enabledpod_template_container_argument_namespace_lifecycle_enabledpod_template_container_argument_node_restriction_enabledpod_template_container_argument_pod_security_policy_enabledpod_template_container_argument_protect_kernel_defaults_enabledpod_template_container_argument_request_timeout_appropriatepod_template_container_argument_rotate_kubelet_server_certificate_enabledpod_template_container_argument_secure_port_not_0pod_template_container_argument_security_context_deny_enabledpod_template_container_argument_service_account_enabledpod_template_container_argument_service_account_key_file_appropriatepod_template_container_argument_service_account_lookup_enabledpod_template_container_argument_tls_cert_file_and_tls_private_key_file_configuredpod_template_container_capabilities_drop_allpod_template_container_encryption_providers_configuredpod_template_container_host_port_not_specifiedpod_template_container_image_pull_policy_alwayspod_template_container_image_tag_specifiedpod_template_container_kubelet_certificate_authority_configuredpod_template_container_kubelet_streaming_connection_idle_timeout_not_zeropod_template_container_kubernetes_dashboard_not_deployedpod_template_container_liveness_probepod_template_container_no_argument_basic_auth_filepod_template_container_no_argument_hostname_override_configuredpod_template_container_no_argument_insecure_bind_addresspod_template_container_privilege_disabledpod_template_container_privilege_escalation_disabledpod_template_container_readiness_probepod_template_container_rotate_certificate_enabledpod_template_container_secrets_defined_as_filespod_template_container_security_context_existspod_template_container_strong_kube_apiserver_cryptographic_cipherspod_template_container_strong_kubelet_cryptographic_cipherspod_template_container_sys_admin_capability_disabledpod_template_container_token_auth_file_not_configuredpod_template_container_with_added_capabilitiespod_template_cpu_limitpod_template_cpu_requestpod_template_immutable_container_filesystempod_template_memory_limitpod_template_memory_requestpod_volume_host_pathreplicaset_container_admission_capability_restrictedreplicaset_container_admission_control_plugin_always_pull_imagesreplicaset_container_admission_control_plugin_no_always_admitreplicaset_container_arg_peer_client_cert_auth_enabledreplicaset_container_argument_anonymous_auth_disabledreplicaset_container_argument_audit_log_maxage_greater_than_30replicaset_container_argument_audit_log_maxbackup_greater_than_10replicaset_container_argument_audit_log_maxsize_greater_than_100replicaset_container_argument_audit_log_path_configuredreplicaset_container_argument_authorization_mode_no_always_allowreplicaset_container_argument_authorization_mode_nodereplicaset_container_argument_authorization_mode_rbacreplicaset_container_argument_etcd_auto_tls_disabledreplicaset_container_argument_etcd_cafile_configuredreplicaset_container_argument_etcd_certfile_and_keyfile_configuredreplicaset_container_argument_etcd_client_cert_auth_enabledreplicaset_container_argument_etcd_peer_certfile_and_peer_keyfile_configuredreplicaset_container_argument_event_qps_less_than_5replicaset_container_argument_insecure_port_0replicaset_container_argument_kube_apiserver_etcd_certfile_and_keyfile_configuredreplicaset_container_argument_kube_apiserver_profiling_disabledreplicaset_container_argument_kube_apiserver_tls_cert_file_and_tls_private_key_file_configuredreplicaset_container_argument_kube_controller_manager_bind_address_127_0_0_1replicaset_container_argument_kube_controller_manager_profiling_disabledreplicaset_container_argument_kube_controller_manager_root_ca_file_configuredreplicaset_container_argument_kube_controller_manager_service_account_credentials_enabledreplicaset_container_argument_kube_controller_manager_service_account_private_key_file_configuredreplicaset_container_argument_kube_scheduler_bind_address_127_0_0_1replicaset_container_argument_kube_scheduler_profiling_disabledreplicaset_container_argument_kubelet_authorization_mode_no_always_allowreplicaset_container_argument_kubelet_client_ca_file_configuredreplicaset_container_argument_kubelet_client_certificate_and_key_configuredreplicaset_container_argument_kubelet_https_enabledreplicaset_container_argument_kubelet_read_only_port_0replicaset_container_argument_kubelet_terminated_pod_gc_threshold_configuredreplicaset_container_argument_kubelet_tls_cert_file_and_tls_private_key_file_configuredreplicaset_container_argument_make_iptables_util_chains_enabledreplicaset_container_argument_namespace_lifecycle_enabledreplicaset_container_argument_node_restriction_enabledreplicaset_container_argument_pod_security_policy_enabledreplicaset_container_argument_protect_kernel_defaults_enabledreplicaset_container_argument_request_timeout_appropriatereplicaset_container_argument_rotate_kubelet_server_certificate_enabledreplicaset_container_argument_secure_port_not_0replicaset_container_argument_security_context_deny_enabledreplicaset_container_argument_service_account_enabledreplicaset_container_argument_service_account_key_file_appropriatereplicaset_container_argument_service_account_lookup_enabledreplicaset_container_capabilities_drop_allreplicaset_container_encryption_providers_configuredreplicaset_container_host_port_not_specifiedreplicaset_container_image_pull_policy_alwaysreplicaset_container_image_tag_specifiedreplicaset_container_kubelet_certificate_authority_configuredreplicaset_container_kubernetes_dashboard_not_deployedreplicaset_container_liveness_probereplicaset_container_no_argument_basic_auth_filereplicaset_container_no_argument_hostname_override_configuredreplicaset_container_no_argument_insecure_bind_addressreplicaset_container_privilege_disabledreplicaset_container_privilege_escalation_disabledreplicaset_container_privilege_port_mappedreplicaset_container_readiness_probereplicaset_container_rotate_certificate_enabledreplicaset_container_secrets_defined_as_filesreplicaset_container_security_context_existsreplicaset_container_streaming_connection_idle_timeout_not_zeroreplicaset_container_strong_kube_apiserver_cryptographic_ciphersreplicaset_container_strong_kubelet_cryptographic_ciphersreplicaset_container_sys_admin_capability_disabledreplicaset_container_token_auth_file_not_configuredreplicaset_container_with_added_capabilitiesreplicaset_cpu_limitreplicaset_cpu_requestreplicaset_default_namespace_usedreplicaset_default_seccomp_profile_enabledreplicaset_host_network_access_disabledreplicaset_hostpid_hostipc_sharing_disabledreplicaset_immutable_container_filesystemreplicaset_memory_limitreplicaset_memory_requestreplicaset_non_root_containerreplication_controller_container_admission_capability_restrictedreplication_controller_container_admission_control_plugin_always_pull_imagesreplication_controller_container_admission_control_plugin_no_always_admitreplication_controller_container_arg_peer_client_cert_auth_enabledreplication_controller_container_argument_anonymous_auth_disabledreplication_controller_container_argument_audit_log_maxage_greater_than_30replication_controller_container_argument_audit_log_maxbackup_greater_than_10replication_controller_container_argument_audit_log_maxsize_greater_than_100replication_controller_container_argument_audit_log_path_configuredreplication_controller_container_argument_authorization_mode_no_always_allowreplication_controller_container_argument_authorization_mode_nodereplication_controller_container_argument_authorization_mode_rbacreplication_controller_container_argument_etcd_auto_tls_disabledreplication_controller_container_argument_etcd_cafile_configuredreplication_controller_container_argument_etcd_certfile_and_keyfile_configuredreplication_controller_container_argument_etcd_client_cert_auth_enabledreplication_controller_container_argument_etcd_peer_certfile_and_peer_keyfile_configuredreplication_controller_container_argument_event_qps_less_than_5replication_controller_container_argument_insecure_port_0replication_controller_container_argument_kube_apiserver_etcd_certfile_and_keyfile_configuredreplication_controller_container_argument_kube_apiserver_profiling_disabledreplication_controller_container_argument_kube_apiserver_tls_cert_file_and_tls_private_key_file_configuredreplication_controller_container_argument_kube_controller_manager_bind_address_127_0_0_1replication_controller_container_argument_kube_controller_manager_profiling_disabledreplication_controller_container_argument_kube_controller_manager_root_ca_file_configuredreplication_controller_container_argument_kube_controller_manager_service_account_credentials_enabledreplication_controller_container_argument_kube_controller_manager_service_account_private_key_file_configuredreplication_controller_container_argument_kube_scheduler_bind_address_127_0_0_1replication_controller_container_argument_kube_scheduler_profiling_disabledreplication_controller_container_argument_kubelet_authorization_mode_no_always_allowreplication_controller_container_argument_kubelet_client_ca_file_configuredreplication_controller_container_argument_kubelet_client_certificate_and_key_configuredreplication_controller_container_argument_kubelet_https_enabledreplication_controller_container_argument_kubelet_read_only_port_0replication_controller_container_argument_kubelet_terminated_pod_gc_threshold_configuredreplication_controller_container_argument_kubelet_tls_cert_file_and_tls_private_key_file_configuredreplication_controller_container_argument_make_iptables_util_chains_enabledreplication_controller_container_argument_namespace_lifecycle_enabledreplication_controller_container_argument_node_restriction_enabledreplication_controller_container_argument_pod_security_policy_enabledreplication_controller_container_argument_protect_kernel_defaults_enabledreplication_controller_container_argument_request_timeout_appropriatereplication_controller_container_argument_rotate_kubelet_server_certificate_enabledreplication_controller_container_argument_secure_port_not_0replication_controller_container_argument_security_context_deny_enabledreplication_controller_container_argument_service_account_enabledreplication_controller_container_argument_service_account_key_file_appropriatereplication_controller_container_argument_service_account_lookup_enabledreplication_controller_container_capabilities_drop_allreplication_controller_container_encryption_providers_configuredreplication_controller_container_host_port_not_specifiedreplication_controller_container_image_pull_policy_alwaysreplication_controller_container_image_tag_specifiedreplication_controller_container_kubelet_certificate_authority_configuredreplication_controller_container_kubernetes_dashboard_not_deployedreplication_controller_container_liveness_probereplication_controller_container_no_argument_basic_auth_filereplication_controller_container_no_argument_hostname_override_configuredreplication_controller_container_no_argument_insecure_bind_addressreplication_controller_container_privilege_disabledreplication_controller_container_privilege_escalation_disabledreplication_controller_container_privilege_port_mappedreplication_controller_container_readiness_probereplication_controller_container_rotate_certificate_enabledreplication_controller_container_secrets_defined_as_filesreplication_controller_container_security_context_existsreplication_controller_container_streaming_connection_idle_timeout_not_zeroreplication_controller_container_strong_kube_apiserver_cryptographic_ciphersreplication_controller_container_strong_kubelet_cryptographic_ciphersreplication_controller_container_sys_admin_capability_disabledreplication_controller_container_token_auth_file_not_configuredreplication_controller_container_with_added_capabilitiesreplication_controller_cpu_limitreplication_controller_cpu_requestreplication_controller_default_namespace_usedreplication_controller_default_seccomp_profile_enabledreplication_controller_host_network_access_disabledreplication_controller_hostpid_hostipc_sharing_disabledreplication_controller_immutable_container_filesystemreplication_controller_memory_limitreplication_controller_memory_requestreplication_controller_non_root_containerrole_binding_default_namespace_usedrole_binding_default_service_account_binding_not_activerole_default_namespace_usedrole_with_bind_cluster_role_bindingsrole_with_rbac_approve_certificate_signing_requestsrole_with_rbac_escalate_permissionsrole_with_wildcards_usedsecret_default_namespace_usedservice_account_default_namespace_usedservice_account_token_disabledservice_default_namespace_usedservice_no_tiller_deployedservice_no_tiller_serviceservice_type_forbiddenstatefulset_container_admission_capability_restrictedstatefulset_container_admission_control_plugin_always_pull_imagesstatefulset_container_admission_control_plugin_no_always_admitstatefulset_container_arg_peer_client_cert_auth_enabledstatefulset_container_argument_anonymous_auth_disabledstatefulset_container_argument_audit_log_maxage_greater_than_30statefulset_container_argument_audit_log_maxbackup_greater_than_10statefulset_container_argument_audit_log_maxsize_greater_than_100statefulset_container_argument_audit_log_path_configuredstatefulset_container_argument_authorization_mode_no_always_allowstatefulset_container_argument_authorization_mode_nodestatefulset_container_argument_authorization_mode_rbacstatefulset_container_argument_etcd_auto_tls_disabledstatefulset_container_argument_etcd_cafile_configuredstatefulset_container_argument_etcd_certfile_and_keyfile_configuredstatefulset_container_argument_etcd_client_cert_auth_enabledstatefulset_container_argument_etcd_peer_certfile_and_peer_keyfile_configuredstatefulset_container_argument_event_qps_less_than_5statefulset_container_argument_insecure_port_0statefulset_container_argument_kube_apiserver_etcd_certfile_and_keyfile_configuredstatefulset_container_argument_kube_apiserver_profiling_disabledstatefulset_container_argument_kube_apiserver_tls_cert_file_and_tls_private_key_file_configuredstatefulset_container_argument_kube_controller_manager_bind_address_127_0_0_1statefulset_container_argument_kube_controller_manager_profiling_disabledstatefulset_container_argument_kube_controller_manager_root_ca_file_configuredstatefulset_container_argument_kube_controller_manager_service_account_credentials_enabledstatefulset_container_argument_kube_controller_manager_service_account_private_key_file_configuredstatefulset_container_argument_kube_scheduler_bind_address_127_0_0_1statefulset_container_argument_kube_scheduler_profiling_disabledstatefulset_container_argument_kubelet_authorization_mode_no_always_allowstatefulset_container_argument_kubelet_client_ca_file_configuredstatefulset_container_argument_kubelet_client_certificate_and_key_configuredstatefulset_container_argument_kubelet_https_enabledstatefulset_container_argument_kubelet_read_only_port_0statefulset_container_argument_kubelet_terminated_pod_gc_threshold_configuredstatefulset_container_argument_kubelet_tls_cert_file_and_tls_private_key_file_configuredstatefulset_container_argument_make_iptables_util_chains_enabledstatefulset_container_argument_namespace_lifecycle_enabledstatefulset_container_argument_node_restriction_enabledstatefulset_container_argument_pod_security_policy_enabledstatefulset_container_argument_protect_kernel_defaults_enabledstatefulset_container_argument_request_timeout_appropriatestatefulset_container_argument_rotate_kubelet_server_certificate_enabledstatefulset_container_argument_secure_port_not_0statefulset_container_argument_security_context_deny_enabledstatefulset_container_argument_service_account_enabledstatefulset_container_argument_service_account_key_file_appropriatestatefulset_container_argument_service_account_lookup_enabledstatefulset_container_capabilities_drop_allstatefulset_container_encryption_providers_configuredstatefulset_container_host_port_not_specifiedstatefulset_container_image_pull_policy_alwaysstatefulset_container_image_tag_specifiedstatefulset_container_kubelet_certificate_authority_configuredstatefulset_container_kubernetes_dashboard_not_deployedstatefulset_container_liveness_probestatefulset_container_no_argument_basic_auth_filestatefulset_container_no_argument_hostname_override_configuredstatefulset_container_no_argument_insecure_bind_addressstatefulset_container_privilege_disabledstatefulset_container_privilege_escalation_disabledstatefulset_container_privilege_port_mappedstatefulset_container_readiness_probestatefulset_container_rotate_certificate_enabledstatefulset_container_secrets_defined_as_filesstatefulset_container_security_context_existsstatefulset_container_streaming_connection_idle_timeout_not_zerostatefulset_container_strong_kube_apiserver_cryptographic_ciphersstatefulset_container_strong_kubelet_cryptographic_ciphersstatefulset_container_sys_admin_capability_disabledstatefulset_container_token_auth_file_not_configuredstatefulset_container_with_added_capabilitiesstatefulset_cpu_limitstatefulset_cpu_requeststatefulset_default_namespace_usedstatefulset_default_seccomp_profile_enabledstatefulset_host_network_access_disabledstatefulset_hostpid_hostipc_sharing_disabledstatefulset_immutable_container_filesystemstatefulset_memory_limitstatefulset_memory_requeststatefulset_non_root_container
Query: pod_template_container_strong_kube_apiserver_cryptographic_ciphers
Usage
powerpipe query kubernetes_compliance.query.pod_template_container_strong_kube_apiserver_cryptographic_ciphers
Steampipe Tables
SQL
with container_list as ( select c ->> 'name' as container_name, trim('"' from split_part(co::text, '=', 2)) as value, j.name as pod_template from kubernetes_pod_template as j, jsonb_array_elements(template -> 'spec' -> 'containers') as c, jsonb_array_elements_text(c -> 'command') as co where co like '%--tls-cipher-suites=%'), container_name_with_pod_template_name as ( select j.name as pod_template_name, j.uid as pod_template_uid, j.path as path, j.start_line as start_line, j.end_line as end_line, j.context_name as context_name, j.namespace as namespace, j.source_type as source_type, j.tags as tags, j._ctx as _ctx, c.* from kubernetes_pod_template as j, jsonb_array_elements(template -> 'spec' -> 'containers') as c)select coalesce(j.pod_template_uid, concat(j.path, ':', j.start_line)) as resource, case when (j.value -> 'command') is null or not ((j.value -> 'command') @> '["kube-apiserver"]') then 'ok' when l.container_name is not null and (j.value -> 'command') @> '["kube-apiserver"]' and string_to_array(l.value, ',') <@ array['TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305','TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_128_GCM_SHA256'] then 'ok' else 'alarm' end as status, case when (j.value -> 'command') is null then j.value ->> 'name' || ' command not defined.' when not ((j.value -> 'command') @> '["kube-apiserver"]') then j.value ->> 'name' || ' kube-apiserver not defined.' when l.container_name is not null and (j.value -> 'command') @> '["kube-apiserver"]' and string_to_array(l.value, ',') <@ array['TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305','TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_256_GCM_SHA384','TLS_RSA_WITH_AES_128_GCM_SHA256'] then j.value ->> 'name' || ' kube-apiserver uses strong cryptographic ciphers.' else j.value ->> 'name' || ' kube-apiserver not using strong cryptographic ciphers.' end as reason, j.pod_template_name as pod_template_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom container_name_with_pod_template_name as j left join container_list as l on j.value ->> 'name' = l.container_name and j.pod_template_name = l.pod_template;
Controls
The query is being used by the following controls: