Privileged container allowed (SCC)KUBELIN-W1059ServiceMonitor selector mismatchKUBELIN-W1052Job TTL misconfiguredKUBELIN-W1053Liveness probe port mismatchKUBELIN-W1054PDB unhealthy pod eviction policyKUBELIN-W1055Missing/invalid priority classKUBELIN-W1056Readiness probe port mismatchKUBELIN-W1057Missing restart policyKUBELIN-W1058Startup probe port mismatchKUBELIN-W1060Missing NetworkPolicy for deployment-like objectsKUBELIN-W1033Missing `dnsConfig` options in deploymentsKUBELIN-W1011`PodDisruptionBudget` with `maxUnavailable` value preventing disruptionsKUBELIN-W1034`docker.sock` volume mounted in containersKUBELIN-W1012Container with `NET_RAW` capabilityKUBELIN-W1013Duplicate env vars dedicatedKUBELIN-W1014Insecure use of secrets in environment variablesKUBELIN-W1015Forbidden service types for exposed servicesKUBELIN-W1016Pods sharing host's network namespaceKUBELIN-W1018Missing readiness probeKUBELIN-W1030Missing rolling update strategyKUBELIN-W1031Invalid service account referenceKUBELIN-W1032Unrestricted access to create podsKUBELIN-W1001Unrestricted access to SecretsKUBELIN-W1002`cluster admin` role should be used only where requiredKUBELIN-W1003Missing `scaleTargetRef` in `HorizontalPodAutoscaler`KUBELIN-W1004Ingress without associated servicesKUBELIN-W1005NetworkPolicy without associated deploymentsKUBELIN-W1006Misconfigured NetworkPolicyPeer podSelectorsKUBELIN-W1007Missing deployment for serviceKUBELIN-W1008Pods using default service accountKUBELIN-W1009Sharing host's process namespaceKUBELIN-W1019Use of deprecated `serviceAccount` field in deploymentsKUBELIN-W1010Insufficient `minReplicas` in `HorizontalPodAutoscaler`KUBELIN-W1020Invalid port names in deployments or servicesKUBELIN-W1021Invalid container imageKUBELIN-W1022Insufficient number of replicasKUBELIN-W1023Mismatching deployment selector and pod template labelsKUBELIN-W1024Missing inter-pod anti-affinity in deployments with multiple replicasKUBELIN-W1025Deprecated API versions used under `extensions/v1beta`KUBELIN-W1026Missing liveness probe in containersKUBELIN-W1027Missing node affinity in deploymentsKUBELIN-W1028Containers running without a read-only root filesystemKUBELIN-W1029Misconfigured `minAvailable` in `PodDisruptionBudget`KUBELIN-W1035Container allows privilege escalationKUBELIN-W1036Containers running in privileged modeKUBELIN-W1037Containers mapping privileged portsKUBELIN-W1038Reading secrets from environment variablesKUBELIN-W1039Invalid email annotationKUBELIN-W1040Owner object without email annotationKUBELIN-W1041Containers running as rootKUBELIN-W1042Sensitive host system directories mounted in containersKUBELIN-W1043Non-SSH services using port 22KUBELIN-W1044Containers with unsafe `/proc` mountKUBELIN-W1045Unsafe kernel parameters configured in containersKUBELIN-W1046Containers without CPU resource requests and limitsKUBELIN-W1047Containers without memory resource requests and limitsKUBELIN-W1048Resources deployed to default namespaceKUBELIN-W1049Use of wildcards in `Role` or `ClusterRole` rulesKUBELIN-W1050Sharing host's IPC namespaceKUBELIN-W1017Containers with writable host path mountsKUBELIN-W1051
Use of wildcards in `Role` or `ClusterRole` rulesKUBELIN-W1050
Indicate when a wildcard is used in Role or ClusterRole rules. CIS Benchmark 5.1.3 Use of wildcards is not optimal from a security perspective as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product.
Remediation
Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.
 Slither
 Slither