# kubernetes (YAML) Security Rules

20 detection rules for kubernetes framework in YAML

- Total rules: 20
- CWE coverage: 9

## CRITICAL (5)

- **Dangerous Linux Capabilities Added**: Detects containers adding dangerous Linux capabilities like SYS_ADMIN, NET_ADMIN, or SYS_PTRACE.
- **Hardcoded Secrets in Manifest**: Detects hardcoded secrets, passwords, or API keys in Kubernetes manifests.
- **Host Namespace Access Enabled**: Detects pods configured to access host namespaces (network, PID, or IPC).
- **HostPath Volume Mounted**: Detects HostPath volumes that mount directories from the host filesystem into pods.
- **Privileged Container Detected**: Detects containers running with privileged security context.

## HIGH (5)

- **Privilege Escalation Allowed**: Detects containers with privilege escalation explicitly enabled.
- **Ingress Missing TLS Configuration**: Detects Kubernetes Ingress resources without TLS configuration.
- **Missing Container Security Context**: Detects containers without securityContext configuration.
- **Container Running as Root User**: Detects containers configured to run as root user (UID 0).
- **Insecure TLS Verification Disabled**: Detects when TLS certificate verification is disabled in Kubernetes configurations.

## MEDIUM (7)

- **Container Using Latest Tag**: Detects container images using 'latest' tag or no tag.
- **Missing Capability Restrictions**: Detects containers that do not drop unnecessary Linux capabilities.
- **Missing Network Policy**: Detects Kubernetes deployments without associated NetworkPolicy resources.
- **Missing allowPrivilegeEscalation Setting**: Detects containers with securityContext that do not explicitly set allowPrivilegeEscalation.
- **Missing Resource Limits**: Detects containers missing resource limits.
- **NodePort Service Exposes Application**: Detects services using NodePort type which exposes the application on all cluster nodes.
- **Writable Root Filesystem**: Detects containers that allow writes to the root filesystem.

## LOW (3)

- **Service Account Token Auto-Mounted**: Detects pods with service account token auto-mounting enabled.
- **Using Default Namespace**: Detects resources deployed to the default namespace.
- **Missing Health Probes**: Detects containers missing liveness and/or readiness probes.