Kubernetes Security Assessment Report

Cluster: never-dev-sec  |  Kubernetes: 1.33  |  Scanned: 2026-06-22 20:45:08 UTC  |  Total Findings: 323
🏠 Home OWASP CWE CSF 2.0 SP 800-53 Runtime

🛡 OWASP Kubernetes Top 10

Assessment based on the OWASP Kubernetes Top Ten framework  |  18 findings, 148 affected resources
71
Critical
12
Critical
29
High
93
Medium
10
Info
4
Pass
CategoryRiskFindingsWorst Severity
K01Insecure Workload Configurations55 issue(s) / 4 finding(s)MEDIUM
K02Overly Permissive RBAC1 issue(s) / 1 finding(s)HIGH
K03Secrets Management Failures12 issue(s) / 3 finding(s)MEDIUM
K04Lack of Centralized Policy Enforcement12 issue(s) / 2 finding(s)CRITICAL
K05Missing Network Segmentation0 issue(s) / 1 finding(s)PASS
K06Overly Exposed Cluster Components3 issue(s) / 2 finding(s)MEDIUM
K07Misconfigured Cluster Components28 issue(s) / 1 finding(s)HIGH
K08Cluster-to-Cloud Lateral Movement6 issue(s) / 1 finding(s)MEDIUM
K09Broken Authentication Mechanisms17 issue(s) / 2 finding(s)MEDIUM
K10Inadequate Logging and Monitoring0 issue(s) / 1 finding(s)PASS

K01: Insecure Workload Configurations

55 issue(s) / 4 finding(s)
MEDIUMMissing readOnlyRootFilesystem
23 containers lack readOnlyRootFilesystem: true
Affected Resources
  • cnpg/test-pgadmin4-857969675d-2dms4/pgadmin4
  • default/httpbin-56c54d77b8-9cd8d/httpbin
  • grafana/test-grafana-58d4d869d5-lhq4q/grafana-sc-dashboard
  • grafana/test-grafana-58d4d869d5-lhq4q/grafana-sc-datasources
  • grafana/test-grafana-58d4d869d5-lhq4q/grafana
  • grafana/test-grafana-prometheus-server-5596cd95f-t5xsx/prometheus-server-configmap-reload
  • grafana/test-grafana-prometheus-server-5596cd95f-t5xsx/prometheus-server
  • nats/test-nats-0/nats
  • nats/test-nats-0/reloader
  • nats/test-nats-1/nats
  • nats/test-nats-1/reloader
  • nats/test-nats-2/nats
  • nats/test-nats-2/reloader
  • nats/test-nats-box-7f6b679bdc-bfj7g/nats-box
  • nats/test-nats-tower-0/nats-tower
  • nats/test-nats-ui-nui-0/nui
  • nats/test-nats-ui-nui-0/fix-db-permissions
  • nessus-scanner/nessus-bd65456d-twt2m/securitycenter
  • nessus/nessus-bd65456d-csp6k/securitycenter
  • splunk-operator/splunk-operator-controller-manager-85d568b94f-82n78/manager
MEDIUMMissing runAsNonRoot
23 containers lack runAsNonRoot: true
Affected Resources
  • cnpg/cnpg-operator-cloudnative-pg-58c485df56-p5v46/manager
  • cnpg/test-pgadmin4-857969675d-2dms4/pgadmin4
  • default/httpbin-56c54d77b8-9cd8d/httpbin
  • grafana/test-grafana-58d4d869d5-lhq4q/grafana-sc-dashboard
  • grafana/test-grafana-58d4d869d5-lhq4q/grafana-sc-datasources
  • grafana/test-grafana-58d4d869d5-lhq4q/grafana
  • grafana/test-grafana-prometheus-server-5596cd95f-t5xsx/prometheus-server-configmap-reload
  • grafana/test-grafana-prometheus-server-5596cd95f-t5xsx/prometheus-server
  • nats/test-nats-0/nats
  • nats/test-nats-0/reloader
  • nats/test-nats-1/nats
  • nats/test-nats-1/reloader
  • nats/test-nats-2/nats
  • nats/test-nats-2/reloader
  • nats/test-nats-box-7f6b679bdc-bfj7g/nats-box
  • nats/test-nats-tower-0/nats-tower
  • nats/test-nats-ui-nui-0/nui
  • nats/test-nats-ui-nui-0/fix-db-permissions
  • nessus-scanner/nessus-bd65456d-twt2m/securitycenter
  • nessus/nessus-bd65456d-csp6k/securitycenter
MEDIUMMissing Resource Limits
9 containers have no resource limits/requests
Affected Resources
  • cnpg/test-pgadmin4-857969675d-2dms4/pgadmin4
  • default/httpbin-56c54d77b8-9cd8d/httpbin
  • nats/test-nats-0/reloader
  • nats/test-nats-1/reloader
  • nats/test-nats-2/reloader
  • nats/test-nats-box-7f6b679bdc-bfj7g/nats-box
  • nats/test-nats-ui-nui-0/nui
  • nats/test-nats-ui-nui-0/fix-db-permissions
  • vector-aggregator/test-vector-aggregator-0/vector
PASSNo Critical Workload Issues
No privileged, hostNetwork, hostPID, or hostPath pods found

K02: Overly Permissive RBAC

1 issue(s) / 1 finding(s)
HIGHCluster-Admin Bindings
1 bindings grant cluster-admin or equivalent
Affected Resources
  • cluster-admin -> Group/system:masters

K03: Secrets Management Failures

12 issue(s) / 3 finding(s)
MEDIUMCloud Provider Credentials in Secrets
12 secrets appear to contain cloud credentials
Affected Resources
  • argo-cd/argocd-repo-creds-ssh-creds
  • burpsuite/burpsuite-db-cnpg-backup-creds
  • cert-manager/rt53-creds
  • cnpg/burpsuite-db-cnpg-backup-creds
  • external-dns/rt53-creds
  • kube-system/openstack-cloud-config
  • kube-system/os-app-creds
  • kube-system/sh.helm.release.v1.openstack-ccm.v1
  • kube-system/sh.helm.release.v1.openstack-csi.v1
  • nats/nats-operator-credentials
  • nats/test-nats-tower-credentials
  • tenable-enclave/tenable-db-cnpg-backup-creds
INFOSecret Inventory
152 secrets total, 90 Opaque type
PASSExternal Secrets Management Present
Found: clusterexternalsecrets.external-secrets.io, externalsecrets.external-secrets.io, vaultdynamicsecrets.generators.external-secrets.io

K04: Lack of Centralized Policy Enforcement

12 issue(s) / 2 finding(s)
CRITICALPod Security Admission Not Enforced
Only 4/16 application namespaces have PSA enforce labels
Affected Resources
  • argo-cd: baseline
  • falco: privileged
  • princess-peach: restricted
  • vector-aggregator: baseline
INFOValidation Policies Found
10 policies with validate rules
Affected Resources
  • disallow-host-namespaces
  • disallow-host-path-volumes
  • disallow-host-ports
  • disallow-latest-tag
  • disallow-privilege-escalation
  • disallow-privileged-containers
  • require-drop-all-capabilities
  • require-readonly-rootfs
  • require-resource-limits
  • require-run-as-nonroot

K05: Missing Network Segmentation

0 issue(s) / 1 finding(s)
PASSNetwork Segmentation Present
K8s: 7, Cilium: 0+0, Istio: 0

K06: Overly Exposed Cluster Components

3 issue(s) / 2 finding(s)
MEDIUMLoadBalancer Services Exposed
3 services directly exposed via LoadBalancer
Affected Resources
  • nessus-manager/nessus-manager-agents (139.66.21.169)
  • nessus-scanner/tenable-nessus (139.66.13.105)
  • nessus/tenable-nessus (139.66.13.96)
PASSAll Ingresses Use TLS
All 12 ingresses have TLS configured

K07: Misconfigured Cluster Components

28 issue(s) / 1 finding(s)
HIGHTrivy ConfigAudit Issues
28 resources have critical/high configuration findings
Affected Resources
  • default/replicaset-httpbin-56c54d77b8: 0C/1H
  • falco/daemonset-test-falco: 0C/8H
  • ingress-nginx/replicaset-ingress-nginx-controller-6f6f859569: 0C/2H
  • k0s-system/replicaset-k0s-pushgateway-6d8f9785c7: 0C/1H
  • kube-system/daemonset-cilium: 0C/19H
  • kube-system/daemonset-cilium-envoy: 0C/4H
  • kube-system/daemonset-csi-nfs-node: 0C/5H
  • kube-system/daemonset-openstack-cinder-csi-nodeplugin: 0C/7H
  • kube-system/daemonset-openstack-cloud-controller-manager: 0C/2H
  • kube-system/replicaset-cilium-operator-dc56c5457: 0C/3H
  • kube-system/replicaset-coredns-c8d757745: 0C/1H
  • kube-system/replicaset-csi-nfs-controller-68d68c78cc: 0C/6H
  • kube-system/replicaset-hubble-relay-5447cdd779: 0C/1H
  • kube-system/replicaset-hubble-ui-77d4cd6ff5: 0C/2H
  • kube-system/replicaset-openstack-cinder-csi-controllerplugin-6b6b78b7d8: 0C/6H
  • manila-csi/daemonset-manila-csi-openstack-manila-csi-nodeplugin: 0C/5H
  • manila-csi/statefulset-manila-csi-openstack-manila-csi-controllerplugin: 0C/6H
  • nessus-scanner/replicaset-nessus-bd65456d: 0C/1H
  • nessus/replicaset-nessus-bd65456d: 0C/1H
  • projectsveltos/replicaset-sveltos-agent-manager-59d7f46f64: 0C/1H

K08: Cluster-to-Cloud Lateral Movement

6 issue(s) / 1 finding(s)
MEDIUMCloud Credentials Accessible In-Cluster
6 secrets contain cloud provider credentials
Affected Resources
  • cert-manager/rt53-creds
  • external-dns/rt53-creds
  • kube-system/openstack-cloud-config
  • kube-system/os-app-creds
  • kube-system/sh.helm.release.v1.openstack-ccm.v1
  • kube-system/sh.helm.release.v1.openstack-csi.v1

K09: Broken Authentication Mechanisms

17 issue(s) / 2 finding(s)
MEDIUMDefault SA Auto-Mounts Tokens
16 namespaces have default SA with automountServiceAccountToken != false
Affected Resources
  • cilium-secrets
  • cnpg
  • default
  • external-dns
  • grafana
  • kcm-system
  • nats
  • nessus
  • nessus-manager
  • nessus-scanner
  • pgadmin4
  • projectsveltos
  • splunk-operator
  • tenable
  • tenable-enclave
  • vector-aggregator
MEDIUMNo mTLS Enforcement
No Istio PeerAuthentication resources found

K10: Inadequate Logging and Monitoring

0 issue(s) / 1 finding(s)
PASSSecurity Monitoring Present
4/4 monitoring categories covered
Affected Resources
  • Runtime Security (Falco)
  • Log Collection (Vector/Fluentd/Fluentbit)
  • SIEM (Splunk/ELK)
  • Network Observability (Hubble)

🔎 CWE/SANS Top 25 (2025)

Assessment mapped from 2025 CWE Top 25 to Kubernetes controls  |  13 findings, 75 affected resources
19
Good
6
High
69
Medium

CWE Kubernetes Relevance Mapping

RankCWE IDWeaknessK8s Relevance
1CWE-79XSS: Cross-site ScriptingHigh — WAF/ModSecurity at ingress layer
2CWE-89SQL InjectionHigh — Database service exposure, parameterized queries
3CWE-352Cross-Site Request Forgery (CSRF)Medium — Ingress-level CSRF protection headers
4CWE-862Missing AuthorizationCritical — RBAC — missing authorization on SA/roles
5CWE-787Out-of-bounds WriteMedium — Image vulnerability scanning (Trivy)
6CWE-22Path TraversalCritical — hostPath mounts enable path traversal
7CWE-416Use After FreeMedium — Image vulnerability scanning (Trivy)
8CWE-125Out-of-bounds ReadMedium — Image vulnerability scanning (Trivy)
9CWE-78OS Command InjectionCritical — Command injection — readOnlyRootFS, runAsNonRoot
10CWE-94Code InjectionCritical — pods/exec RBAC = code injection vector
11CWE-120Classic Buffer OverflowLow — Image vulnerability scanning (Trivy)
12CWE-434Unrestricted Upload of Dangerous File TypeMedium — readOnlyRootFilesystem, ephemeral storage
13CWE-476NULL Pointer DereferenceLow — Image vulnerability scanning (Trivy)
14CWE-121Stack-based Buffer OverflowLow — Application-level
15CWE-502Deserialization of Untrusted DataHigh — Deserialization — readOnlyRootFS, network policies
16CWE-122Heap-based Buffer OverflowLow — Application-level
17CWE-863Incorrect AuthorizationCritical — Broken access control — RBAC misconfig
18CWE-20Improper Input ValidationLow — Application-level
19CWE-284Improper Access ControlCritical — Improper access control — RBAC
20CWE-200Exposure of Sensitive InformationHigh — Env var exposure, secret protection
21CWE-306Missing Authentication for Critical FunctionHigh — Missing authentication — Ingress auth annotations
22CWE-918Server-Side Request Forgery (SSRF)High — SSRF — NetworkPolicy egress restrictions
23CWE-77Command InjectionCritical — Command injection — same as CWE-78
24CWE-639Authorization Bypass Through User-Controlled KeyMedium — SA token automount = authorization bypass vector
25CWE-770Allocation of Resources Without LimitsCritical — Resource limits prevent DoS

CWE Detailed Findings

75 affected resource(s) / 13 finding(s)
HIGHCWE-94: ClusterRoles allowing pod exec/attach (Code Injection vector)
6 ClusterRole(s) grant pods/exec or pods/attach create access, enabling code injection into running containers.
Affected Resources
  • ClusterRole/admin
  • ClusterRole/cnpg-manager
  • ClusterRole/cnpg-operator-cloudnative-pg
  • ClusterRole/edit
  • ClusterRole/splunk-operator-manager-role
  • ClusterRole/system:aggregate-to-edit
MEDIUMCWE-79: Ingresses without WAF/ModSecurity protection
12 ingress(es) expose web applications without WAF annotations (ModSecurity/OWASP CRS). XSS attacks against exposed web apps are not mitigated at the ingress layer.
Affected Resources
  • argo-cd/argo-cd-argocd-server
  • burpsuite/bsee-ingress
  • cnpg/test-pgadmin4
  • grafana/test-grafana
  • nats/nats-websocket
  • nats/test-nats-tower
  • nats/test-nats-ui-nui
  • nessus-manager/nessus-manager-ui
  • princess-peach/princess-peach
  • splunk/shc-test-ingress
  • tenable-enclave/test-tenable-enclave-tes-operator
  • vector-aggregator/test-vector-aggregator
MEDIUMCWE-78/CWE-77: Containers without readOnlyRootFilesystem or runAsNonRoot
14 container(s) run without readOnlyRootFilesystem AND runAsNonRoot. If command injection is exploited, attackers gain writable root filesystem access as root user.
Affected Resources
  • cnpg/test-pgadmin4-857969675d-2dms4/pgadmin4
  • default/httpbin-56c54d77b8-9cd8d/httpbin
  • nats/test-nats-0/nats
  • nats/test-nats-0/reloader
  • nats/test-nats-1/nats
  • nats/test-nats-1/reloader
  • nats/test-nats-2/nats
  • nats/test-nats-2/reloader
  • nats/test-nats-box-7f6b679bdc-bfj7g/nats-box
  • nats/test-nats-tower-0/nats-tower
  • nats/test-nats-ui-nui-0/nui
  • nessus-scanner/nessus-bd65456d-twt2m/securitycenter
  • nessus/nessus-bd65456d-csp6k/securitycenter
  • vector-aggregator/test-vector-aggregator-0/vector
MEDIUMCWE-306: Ingresses without authentication annotations
10 ingress(es) have no external authentication configured (auth-url, auth-signin, etc).
Affected Resources
  • argo-cd/argo-cd-argocd-server (argo.never-security.sms.dev.sci.scs.sap)
  • burpsuite/bsee-ingress (burpsuite.security.sci-prod.scs.sap)
  • cnpg/test-pgadmin4 (pgadmin4.never-security.sms.dev.sci.scs.sap)
  • grafana/test-grafana (security-dashboard.never-security.sms.dev.sci.scs.sap)
  • nats/nats-websocket (nats-ws.never-security.sms.dev.sci.scs.sap)
  • nats/test-nats-tower (nats-tower.never-security.sms.dev.sci.scs.sap)
  • nessus-manager/nessus-manager-ui (nessus.never-security.sms.dev.sci.scs.sap)
  • princess-peach/princess-peach (princess-peach.never-security.sms.dev.sci.scs.sap)
  • splunk/shc-test-ingress (splunk.never-security.sms.dev.sci.scs.sap)
  • tenable-enclave/test-tenable-enclave-tes-operator (tenable-enclave.never-security.sms.dev.sci.scs.sap)
MEDIUMCWE-918: Insufficient network policies to prevent SSRF
Only 7 NetworkPolicy(ies) across 32 namespaces. Pods can reach cloud metadata endpoints (169.254.169.254) and internal services, enabling SSRF attacks.
MEDIUMCWE-770: Containers without resource limits (DoS risk)
8 container(s) have no resource limits. A runaway process could exhaust node resources (Denial of Service).
Affected Resources
  • cnpg/test-pgadmin4-857969675d-2dms4/pgadmin4
  • default/httpbin-56c54d77b8-9cd8d/httpbin
  • nats/test-nats-0/reloader
  • nats/test-nats-1/reloader
  • nats/test-nats-2/reloader
  • nats/test-nats-box-7f6b679bdc-bfj7g/nats-box
  • nats/test-nats-ui-nui-0/nui
  • vector-aggregator/test-vector-aggregator-0/vector
INFOCWE-79/CWE-89/CWE-352: Application-layer injection/CSRF weaknesses
XSS, SQL Injection, and CSRF are primarily application-code vulnerabilities. Mitigation: Use WAFs at the ingress layer, keep container images updated, run vulnerability scanners on application code.
INFOCWE-787/CWE-416/CWE-125/CWE-120/CWE-121/CWE-122/CWE-476: Memory safety weaknesses (C/C++ binary vulnerabilities)
Out-of-bounds Write/Read, Use After Free, Buffer Overflows, and NULL Pointer Dereference are binary-level vulnerabilities. Mitigation: Use container image vulnerability scanners (Trivy, Grype) to detect known CVEs in base images. Apply readOnlyRootFilesystem and drop all capabilities to limit exploit impact.
INFOCWE-434: Unrestricted file upload
Applies to web applications allowing file uploads. Mitigation: readOnlyRootFilesystem, ephemeral container storage, and network policies limit post-exploitation impact.
INFONo Trivy VulnerabilityReports found
Trivy Operator may not be running active image scans. Deploy trivy-operator to detect CWE-related CVEs in images.
PASSCWE-89: No database services directly exposed
All database services use ClusterIP (internal only).
PASSCWE-22: No hostPath mounts detected
No pods mount the host filesystem.
PASSCWE-200: No plain-text secrets detected in environment variables
All sensitive env vars use secretKeyRef or are absent.

🌏 NIST Cybersecurity Framework (CSF) 2.0

Assessment mapped to NIST CSF 2.0 (Feb 2024) — 6 Functions, 22 Categories, 106 Subcategories. 10 findings, 138 affected resources
19
Good
15
High
22
Medium
101
Info

CSF 2.0 Function Mapping

FunctionIDFocus AreaK8s Controls
GOVERNGVOrganizational context, risk strategy, supply chainKyverno policies, namespace labels, image registries
IDENTIFYIDAsset management, risk assessmentResource inventory, vulnerability scanning
PROTECTPRAccess control, data security, platform securityRBAC, PSA, Secrets, resource limits
DETECTDEContinuous monitoring, adverse eventsFalco, Vector/Splunk logging
RESPONDRSIncident management, analysisNetworkPolicies for containment
RECOVERRCRecovery planningBackup CronJobs, Velero

CSF 2.0 Detailed Findings

10 finding(s)
HIGH PR.PS - Pod Security Standards Not Enforced

15/16 application namespaces lack PSA enforce labels

  • cilium-secrets
  • cnpg
  • default
  • external-dns
  • grafana
  • kcm-system
  • nats
  • nessus
  • nessus-manager
  • nessus-scanner
  • pgadmin4
  • projectsveltos
  • splunk-operator
  • tenable
  • tenable-enclave
MEDIUM GV.RM - Policies in Audit Only

13 policies exist but none enforce

  • cnpg-burpsuite-db-pod-policy
  • cnpg-tenable-db-pod-policy
  • disallow-host-namespaces
  • disallow-host-path-volumes
  • disallow-host-ports
  • disallow-latest-tag
  • disallow-privilege-escalation
  • disallow-privileged-containers
  • kube-env-policy
  • require-drop-all-capabilities
  • require-readonly-rootfs
  • require-resource-limits
  • require-run-as-nonroot
MEDIUM PR.IR - Containers Without Resource Limits

8 containers lack limits

  • cnpg/test-pgadmin4-857969675d-2dms4/pgadmin4
  • default/httpbin-56c54d77b8-9cd8d/httpbin
  • nats/test-nats-0/reloader
  • nats/test-nats-1/reloader
  • nats/test-nats-2/reloader
  • nats/test-nats-box-7f6b679bdc-bfj7g/nats-box
  • nats/test-nats-ui-nui-0/nui
  • vector-aggregator/test-vector-aggregator-0/vector
MEDIUM RC.RP - No Backup Jobs

No backup/snapshot CronJobs found

INFO GV.SC - Container Image Registries

11 registries: docker.io, ecr-public.aws.com, ghcr.io, global.artifactory.sms.dev.sci.scs.sap, natsio, nginxinc, public.ecr.aws, quay.io, reg.kyverno.io, registry.k8s.io

  • docker.io
  • ecr-public.aws.com
  • ghcr.io
  • global.artifactory.sms.dev.sci.scs.sap
  • natsio
  • nginxinc
  • public.ecr.aws
  • quay.io
  • reg.kyverno.io
  • registry.k8s.io
  • tenable
INFO PR.DS - Secrets Inventory

90 Opaque secrets. Verify encryption at rest.

  • argo-cd/argocd-initial-admin-secret
  • argo-cd/argocd-notifications-secret
  • argo-cd/argocd-redis
  • argo-cd/argocd-repo-creds-ssh-creds
  • argo-cd/argocd-repo-git-repo
  • argo-cd/argocd-repo-keppel-helm-repo
  • argo-cd/argocd-secret
  • argo-cd/cluster-ca-bundle
  • argo-cd/gitlab-kubernetes-migration-repo
  • argo-cd/repo-sci-security
  • burpsuite/bsee-web-server-https
  • burpsuite/burpsuite-db-cnpg-backup-creds
  • burpsuite/burpsuite-tls-zqjf2
  • burpsuite/cluster-ca-bundle
  • burpsuite/cnpg-burpsuite-db-cluster-ca
  • burpsuite/test-burpsuite-enterprise-server-secret
  • burpsuite/test-burpsuite-relay-shared-secret
  • burpsuite/test-burpsuite-scanning-shared-secret
  • burpsuite/test-burpsuite-web-server-secret
  • cert-manager/cert-manager-webhook-ca
PASS ID.AM - Asset Inventory

17 nodes, 195 pods, 87 services, 32 namespaces

PASS PR.AA - RBAC Reviewed

No non-system SAs bound to admin roles

PASS DE.CM - Runtime Monitoring Active

Falco on 2 nodes

  • test-falco-falcosidekick-68b97d6d6b-7xch7
  • test-falco-falcosidekick-68b97d6d6b-vhzcl
PASS DE.AE - Log Collection Active

9 log collector pods

  • test-vector-aggregator-0
  • test-vector-4vj79
  • test-vector-65q77
  • test-vector-9hjxk
  • test-vector-c56nj
  • test-vector-nzjmx
  • test-vector-phsfw
  • test-vector-pzk5t
  • test-vector-rfhz9

📜 NIST SP 800-53 Rev 5

Assessment mapped to NIST SP 800-53 Rev 5 — 20 Control Families, 1000+ Controls. 11 findings, 149 affected resources
38
Medium
15
Critical
43
Medium
91
Info

Assessed Control Families

FamilyIDControlsK8s Implementation
Access ControlACAC-3, AC-6RBAC, SA tokens, privileged containers
Audit & AccountabilityAUAU-2, AU-3, AU-6Logging, runtime audit (Falco)
Security AssessmentCACA-2PolicyReports, compliance scanning
Config ManagementCMCM-2, CM-7ResourceQuotas, hostNetwork
Identification & AuthIAIA-5Default SA automount
System & Comms ProtectionSCSC-7, SC-8, SC-28NetworkPolicies, TLS, Secrets
System & Info IntegritySISI-2, SI-4Vuln scanning, monitoring

SP 800-53 Detailed Findings

11 finding(s)
CRITICAL SC-7 Boundary Protection: Missing NetworkPolicies

15/32 namespaces lack policies

  • cilium-secrets
  • default
  • external-dns
  • grafana
  • kcm-system
  • nats
  • nessus
  • nessus-manager
  • nessus-scanner
  • pgadmin4
  • projectsveltos
  • splunk-operator
  • tenable
  • tenable-enclave
  • vector-aggregator
MEDIUM AC-3 Access Enforcement: SA Token Auto-Mount

27 app pods auto-mount SA tokens

  • cnpg/cnpg-burpsuite-db-cluster-1
  • cnpg/cnpg-burpsuite-db-cluster-2-join-6h9h7
  • cnpg/cnpg-burpsuite-db-cluster-pooler-rw-57d4f59b88-bdggg
  • cnpg/cnpg-burpsuite-db-cluster-pooler-rw-57d4f59b88-f9nk9
  • cnpg/cnpg-operator-cloudnative-pg-58c485df56-p5v46
  • default/httpbin-56c54d77b8-9cd8d
  • external-dns/external-dns-99846f4c4-pvsqn
  • grafana/test-grafana-58d4d869d5-lhq4q
  • grafana/test-grafana-prometheus-server-5596cd95f-t5xsx
  • nats/nginx-fips-7b8698c4f6-blk4p
  • nats/test-nats-0
  • nats/test-nats-1
  • nats/test-nats-2
  • nats/test-nats-box-7f6b679bdc-bfj7g
  • nats/test-nats-tower-0
  • nessus-scanner/nessus-bd65456d-twt2m
  • nessus/nessus-bd65456d-csp6k
  • splunk-operator/splunk-operator-controller-manager-85d568b94f-82n78
  • tenable-enclave/cnpg-tenable-db-cluster-1
  • tenable-enclave/cnpg-tenable-db-cluster-2
MEDIUM IA-5 Authenticator Mgmt: Default SA Auto-Mount

16 namespaces with default SA automount

  • cilium-secrets
  • cnpg
  • default
  • external-dns
  • grafana
  • kcm-system
  • nats
  • nessus
  • nessus-manager
  • nessus-scanner
  • pgadmin4
  • projectsveltos
  • splunk-operator
  • tenable
  • tenable-enclave
  • vector-aggregator
INFO AC - RBAC Overview

105 CRBs, 1 admin/cluster-admin

  • cluster-admin
INFO SC-28 Info at Rest: Secrets

90 Opaque secrets. Verify etcd encryption.

PASS AU-2/AU-3 Audit Events: Logging Active

20 log/SIEM pods

  • splunk-operator-controller-manager-85d568b94f-82n78
  • splunk-cm-test-cluster-manager-0
  • splunk-idxc-test-indexer-0
  • splunk-idxc-test-indexer-1
  • splunk-idxc-test-indexer-2
  • splunk-lm-test-license-manager-0
  • splunk-mc-test-monitoring-console-0
  • splunk-shc-test-deployer-0
  • splunk-shc-test-search-head-0
  • splunk-shc-test-search-head-1
PASS AU-6 Audit Review: Runtime Security

Falco on 2 nodes

  • test-falco-falcosidekick-68b97d6d6b-7xch7
  • test-falco-falcosidekick-68b97d6d6b-vhzcl
PASS CA-2 Security Assessments: Policy Reports

1 ClusterPolicyReports

PASS CM-2 Baseline Config: ResourceQuotas

19 defined

PASS SC-8 Transmission Confidentiality: TLS OK

All 12 ingresses use TLS

PASS SI-4 System Monitoring: Active

4 monitoring pods

  • test-grafana-58d4d869d5-lhq4q
  • test-grafana-prometheus-server-5596cd95f-t5xsx
  • hubble-relay-5447cdd779-lbkrg
  • hubble-ui-77d4cd6ff5-g5lbz

⏱ Runtime Security

Live runtime analysis of running workloads, pod health, container states, and security agent status. 9 findings, 28 affected resources
4
Good
1
High
15
Medium
3
Low
9
Info

Runtime Check Categories

CheckIDDescriptionSeverity
CrashloopingRT01Containers with 5+ restartsHIGH
OOMKilledRT02Containers terminated by OOMHIGH
Pod StateRT03Pods in Failed/Unknown phaseMEDIUM
Image TagsRT04Running :latest or untagged imagesMEDIUM
Health ProbesRT05Missing liveness/readiness probesMEDIUM
EphemeralRT06Active debug containersMEDIUM
Stale PodsRT07Running 90+ days without restartLOW
K8s EventsRT08Warning events in last hourINFO
Pull PolicyRT09IfNotPresent with mutable tagsMEDIUM
Security AgentRT10Falco/Tetragon statusHIGH
Unready PodsRT11Not ready for 5+ minutesMEDIUM
Replica DriftRT12Available < desired replicasMEDIUM

Runtime Security Detailed Findings

9 finding(s)
HIGH OOMKilled Containers

1 container(s) were recently OOMKilled - possible memory exhaustion

  • cnpg/cnpg-burpsuite-db-cluster-1/postgres
MEDIUM Running Containers Without Health Probes

11 running container(s) lack both liveness and readiness probes

  • default/httpbin-56c54d77b8-9cd8d/httpbin
  • grafana/test-grafana-58d4d869d5-lhq4q/grafana-sc-dashboard
  • grafana/test-grafana-58d4d869d5-lhq4q/grafana-sc-datasources
  • nats/nginx-fips-7b8698c4f6-blk4p/nginx-fips
  • nats/test-nats-0/reloader
  • nats/test-nats-1/reloader
  • nats/test-nats-2/reloader
  • nats/test-nats-box-7f6b679bdc-bfj7g/nats-box
  • tenable-enclave/test-tenable-enclave-tes-operator-68cd77c797-9cf26/tes-operator
  • tenable-enclave/test-tenable-enclave-tes-operator-77ccbbf7b6-dgknc/tes-operator
  • vector-aggregator/test-vector-aggregator-0/vector
MEDIUM Pods Not Ready for Extended Period

2 pod(s) have been in not-ready state for 5+ minutes

  • nats/test-nats-2 (unready 43209m)
  • tenable-enclave/test-tenable-enclave-tes-operator-68cd77c797-9cf26 (unready 43209m)
MEDIUM Deployment Replica Drift

2 deployment(s) have fewer available replicas than desired

  • cnpg/cnpg-burpsuite-db-cluster-pooler-rw (desired=3, available=2)
  • projectsveltos/sveltos-agent-manager (desired=1, available=0)
LOW Stale Long-Running Pods

3 pod(s) running 90+ days without restart

  • default/httpbin-56c54d77b8-9cd8d (age=143d)
  • nessus-scanner/nessus-bd65456d-twt2m (age=125d)
  • nessus/nessus-bd65456d-csp6k (age=100d)
INFO Recent Warning Events

9 warning event(s) in the last hour

  • cnpg/cnpg-burpsuite-db-cluster-pooler-rw-57d4f59b88: FailedCreate - Error creating: pods "cnpg-burpsuite-db-cluster-pooler-rw-57d4f59b88-w6hrm" is f
  • cnpg/cnpg-burpsuite-db-cluster-pooler-rw-57d4f59b88: FailedCreate - Error creating: pods "cnpg-burpsuite-db-cluster-pooler-rw-57d4f59b88-gn9m7" is f
  • cnpg/cnpg-burpsuite-db-cluster-pooler-rw-57d4f59b88: FailedCreate - Error creating: pods "cnpg-burpsuite-db-cluster-pooler-rw-57d4f59b88-shsl4" is f
  • -/pvc-e8e5049c-b3ff-413a-9c0f-4d13c6b88dd7: VolumeFailedDelete - persistentvolume pvc-e8e5049c-b3ff-413a-9c0f-4d13c6b88dd7 is still attached to n
  • nessus-manager/nessus-manager: FailedCreate - create Pod nessus-manager-0 in StatefulSet nessus-manager failed error: pods "ne
  • projectsveltos/sveltos-agent-manager-59d7f46f64: FailedCreate - Error creating: pods "sveltos-agent-manager-59d7f46f64-pmkpj" is forbidden: maxi
  • projectsveltos/sveltos-agent-manager-59d7f46f64: FailedCreate - Error creating: pods "sveltos-agent-manager-59d7f46f64-d6g6m" is forbidden: maxi
  • projectsveltos/sveltos-agent-manager-59d7f46f64: FailedCreate - Error creating: pods "sveltos-agent-manager-59d7f46f64-x29fm" is forbidden: maxi
  • projectsveltos/sveltos-agent-manager-59d7f46f64: FailedCreate - Error creating: pods "sveltos-agent-manager-59d7f46f64-xglsf" is forbidden: maxi
PASS All Running Images Use Pinned Tags

No running containers use :latest or untagged images

PASS No Ephemeral Containers Detected

No pods have ephemeral debug containers attached

PASS Runtime Security Agent Active

2 Falco pod(s) running