# Kubernetes (YAML) Security Security vulnerabilities and detection rules for kubernetes framework. 20 rules across 9 CWE categories. - Total rules: 20 - CWE categories: 9 - Critical rules: 5 ## CWEs - **CWE-250**: Execution with Unnecessary Privileges - **CWE-319**: Cleartext Transmission of Sensitive Information - **CWE-668**: Exposure of Resource to Wrong Sphere - **CWE-732**: Incorrect Permission Assignment for Critical Resource - **CWE-1188**: Insecure Default Initialization of Resource - **CWE-284**: Improper Access Control - **CWE-400**: Uncontrolled Resource Consumption - **CWE-798**: Use of Hard-coded Credentials - **CWE-829**: Inclusion of Functionality from Untrusted Control Sphere ## Rules - **Privilege Escalation Allowed** [HIGH]: Detects containers with privilege escalation explicitly enabled. - **Service Account Token Auto-Mounted** [LOW]: Detects pods with service account token auto-mounting enabled. - **Dangerous Linux Capabilities Added** [CRITICAL]: Detects containers adding dangerous Linux capabilities like SYS_ADMIN, NET_ADMIN, or SYS_PTRACE. - **Using Default Namespace** [LOW]: Detects resources deployed to the default namespace. - **Hardcoded Secrets in Manifest** [CRITICAL]: Detects hardcoded secrets, passwords, or API keys in Kubernetes manifests. - **Host Namespace Access Enabled** [CRITICAL]: Detects pods configured to access host namespaces (network, PID, or IPC). - **HostPath Volume Mounted** [CRITICAL]: Detects HostPath volumes that mount directories from the host filesystem into pods. - **Container Using Latest Tag** [MEDIUM]: Detects container images using 'latest' tag or no tag. - **Ingress Missing TLS Configuration** [HIGH]: Detects Kubernetes Ingress resources without TLS configuration. - **Missing Capability Restrictions** [MEDIUM]: Detects containers that do not drop unnecessary Linux capabilities. - **Missing Health Probes** [LOW]: Detects containers missing liveness and/or readiness probes. - **Missing Network Policy** [MEDIUM]: Detects Kubernetes deployments without associated NetworkPolicy resources. - **Missing allowPrivilegeEscalation Setting** [MEDIUM]: Detects containers with securityContext that do not explicitly set allowPrivilegeEscalation. - **Missing Resource Limits** [MEDIUM]: Detects containers missing resource limits. - **Missing Container Security Context** [HIGH]: Detects containers without securityContext configuration. - **NodePort Service Exposes Application** [MEDIUM]: Detects services using NodePort type which exposes the application on all cluster nodes. - **Privileged Container Detected** [CRITICAL]: Detects containers running with privileged security context. - **Container Running as Root User** [HIGH]: Detects containers configured to run as root user (UID 0). - **Insecure TLS Verification Disabled** [HIGH]: Detects when TLS certificate verification is disabled in Kubernetes configurations. - **Writable Root Filesystem** [MEDIUM]: Detects containers that allow writes to the root filesystem.