blob: bd5aea1ad07bfe964dcff2d4fd06cf3321865053 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
---
tiers:
-
name: security
order: 1
ci_loop: '(daily)|(weekly)'
description: >-
Set of basic Functional security tests.
testcases:
-
case_name: root_pods
project_name: security
criteria: 100
blocking: false
description: >-
test if pods are run in root.
run:
name: 'root_pods'
-
case_name: unlimitted_pods
project_name: security
criteria: 100
blocking: false
description: >-
test if pods are run without limit.
run:
name: 'unlimitted_pods'
-
case_name: cis_kubernetes
project_name: security
criteria: 100
blocking: false
description: >-
test if kubernetes install is CIS compliant.
run:
name: 'cis_kubernetes'
-
case_name: http_public_endpoints
project_name: security
criteria: 100
blocking: false
description: >-
Check all ports exposed outside of kubernetes cluster
looking for plain http endpoint.
run:
name: 'http_public_endpoints'
-
case_name: nonssl_endpoints
project_name: security
criteria: 100
blocking: false
description: >-
Check that all ports exposed outside of kubernetes cluster
use SSL tunnels.
run:
name: 'nonssl_endpoints'
-
case_name: jdpw_ports
project_name: security
criteria: 100
blocking: false
description: >-
Check that no jdwp ports are exposed
run:
name: 'jdpw_ports'
-
case_name: kube_hunter
project_name: security
criteria: 100
blocking: false
description: >-
Check k8s CVE.
run:
name: 'kube_hunter'
-
case_name: versions
project_name: security
criteria: 100
blocking: false
description: >-
Check that Java and Python are available only in versions
recommended by SECCOM
dependencies:
- NODE_NAME: 'weekly'
run:
name: 'versions'
|
