Python
JavaScript
Java
Go
C#
Ansible
AWS CloudFormation Linter
C & C++
Dart Analyze
Docker
Kotlin
KubeLinter
PHP
Ruby
Rust
Scala
Secrets
Shell
Slither
Solhint
SQL
Swift
Terraform
Test coverageMissing NetworkPolicy for deployment-like objectsKUBELIN-W1033Missing `dnsConfig` options in deploymentsKUBELIN-W1011`PodDisruptionBudget` with `maxUnavailable` value preventing disruptionsKUBELIN-W1034`docker.sock` volume mounted in containersKUBELIN-W1012Container with `NET_RAW` capabilityKUBELIN-W1013Duplicate env vars dedicatedKUBELIN-W1014Insecure use of secrets in environment variablesKUBELIN-W1015Forbidden service types for exposed servicesKUBELIN-W1016Pods sharing host's network namespaceKUBELIN-W1018Missing readiness probeKUBELIN-W1030Missing rolling update strategyKUBELIN-W1031Invalid service account referenceKUBELIN-W1032Unrestricted access to create podsKUBELIN-W1001Unrestricted access to SecretsKUBELIN-W1002`cluster admin` role should be used only where requiredKUBELIN-W1003Missing `scaleTargetRef` in `HorizontalPodAutoscaler`KUBELIN-W1004Ingress without associated servicesKUBELIN-W1005NetworkPolicy without associated deploymentsKUBELIN-W1006Misconfigured NetworkPolicyPeer podSelectorsKUBELIN-W1007Missing deployment for serviceKUBELIN-W1008Pods using default service accountKUBELIN-W1009Sharing host's process namespaceKUBELIN-W1019Use of deprecated `serviceAccount` field in deploymentsKUBELIN-W1010Insufficient `minReplicas` in `HorizontalPodAutoscaler`KUBELIN-W1020Invalid port names in deployments or servicesKUBELIN-W1021Invalid container imageKUBELIN-W1022Insufficient number of replicasKUBELIN-W1023Mismatching deployment selector and pod template labelsKUBELIN-W1024Missing inter-pod anti-affinity in deployments with multiple replicasKUBELIN-W1025Deprecated API versions used under `extensions/v1beta`KUBELIN-W1026Missing liveness probe in containersKUBELIN-W1027Missing node affinity in deploymentsKUBELIN-W1028Containers running without a read-only root filesystemKUBELIN-W1029Misconfigured `minAvailable` in `PodDisruptionBudget`KUBELIN-W1035Container allows privilege escalationKUBELIN-W1036Containers running in privileged modeKUBELIN-W1037Containers mapping privileged portsKUBELIN-W1038Reading secrets from environment variablesKUBELIN-W1039Invalid email annotationKUBELIN-W1040Owner object without email annotationKUBELIN-W1041Containers running as rootKUBELIN-W1042Sensitive host system directories mounted in containersKUBELIN-W1043Non-SSH services using port 22KUBELIN-W1044Containers with unsafe `/proc` mountKUBELIN-W1045Unsafe kernel parameters configured in containersKUBELIN-W1046Containers without CPU resource requests and limitsKUBELIN-W1047Containers without memory resource requests and limitsKUBELIN-W1048Resources deployed to default namespaceKUBELIN-W1049Use of wildcards in `Role` or `ClusterRole` rulesKUBELIN-W1050Sharing host's IPC namespaceKUBELIN-W1017Containers with writable host path mountsKUBELIN-W1051
Unrestricted access to SecretsKUBELIN-W1002
Major
Anti-patternIndicates when a subject (Group/User/ServiceAccount) has access to Secrets. CIS Benchmark 5.1.2: Access to secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation.
Remediation
Where possible, remove get, list and watch access to secret objects in the cluster.