Kubesec Benchmark

K.SEC.01Enforcing CPU limits prevents DOS via resource exhaustionLinkLink
K.SEC.02Enforcing memory limits prevents DOS via resource exhaustionLinkLink
K.SEC.03CAP_SYS_ADMIN is the most privileged capability and should always be avoidedLinkLink
K.SEC.04Drop all capabilities and add only those required to reduce syscall attack surfaceLinkLink
K.SEC.05Privileged containers can allow almost completely unrestricted host accessLinkLink
K.SEC.06An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack costLinkLink
K.SEC.07Force the running image to run as a non-root user to ensure least privilegeLinkLink
K.SEC.08Run as a high-UID user to avoid conflicts with the host’s user tableLinkLink
K.SEC.09Managing /etc/hosts aliases can prevent Docker from modifying the file after a pod’s containers have already been startedLinkLink
K.SEC.10Sharing the host’s IPC namespace allows container processes to communicate with processes on the hostLinkLink
K.SEC.11Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapterLinkLink
K.SEC.12Sharing the host’s PID namespace allows visibility of processes on the host, potentially leaking information such as environment variables and configurationLinkLink
K.SEC.13Mounting the docker.socket leaks information about other containers and can allow container breakoutLinkLink
K.SEC.14Avoid using the :latest tag when deploying containers in production as it is harder to track which version of the image is running and more difficult to roll back properly.LinkLink
K.SEC.15Disabling allowPrivilegeEscalation to false ensures that no child process of a container can gain more privileges than its parent.LinkLink