Checks performed
- Enable Audit Logs
- Ensure Kubeconfig File Permissions Are Restrictive
- Ensure Kubelet Kubeconfig File Ownership Is Set Root
- Ensure Kubelet Configuration File Has Permissions Restrictive
- Ensure Kubelet Configuration File Ownership Is Set Root
- Ensure Anonymous Auth Argument Is Disabled
- Ensure Authorization Mode Argument Is Not Set Always Allow
- Ensure Client Ca File Argument Is Set Appropriate
- Ensure Read Only Port Is Secured
- Ensure Streaming Connection Idle Timeout Argument Is Not Set 0
- Ensure Protect Kernel Defaults Argument Is Enabled
- Ensure Make Ptables Util Chains Argument Is Enabled
- Ensure Hostname Override Argument Is Not Set
- Ensure Event Record Qps Argument Is Set 0 Level Which Ensures Appropriate Event Capture
- Ensure Rotate Certificates Argument Is Not Disabled
- Ensure Rotate Kubelet Server Certificate Argument Is Enabled
- Ensure Cluster Admin Role Is Only Used Where Required
- Minimize Access Secrets
- Minimize Wildcard Use Roles And Clusterroles
- Minimize Access To Create Pods
- Ensure Default Service Accounts Are Not Actively Used
- Ensure Service Account Tokens Are Only Mounted Where Necessary
- Minimize The Admission Privileged Container
- Do Not Generally Permit Containers Run With The Hostpid Flag Enabled
- Minimize The Admission Containers Wishing Share The Host Ipc Namespace
- Minimize The Admission Containers Wishing Share The Host Network Namespace
- Minimize The Admission Containers With Allowprivilegeescalation
- Minimize The Admission Root Containers
- Minimize The Admission Containers With Net_Raw Capability
- Minimize The Admission Containers With Added Capabilities
- Minimize The Admission Containers With Capabilities Assigned
- Ensure Latest Cni Version Is Used
- Ensure That All Namespaces Network Policies Defined
- Prefer Using Secrets Files Over Secrets As Environment Variables
- Consider External Secret Storage
- Verify That Admission Controllers Are Working Expected
- Create Administrative Boundaries Between Resources Using Namespaces
- Apply Security Context Your Pods And Containers
- The Default Namespace Should Not Be Used
- Ensure Image Vulnerability Scanning Using Azure Defender Image Scanning Third Party Provider
- Minimize User Access Azure Container Registry
- Minimize Cluster Access Read Only Azure Container Registry
- Minimize Container Registries Only Those Approved
- Prefer Using Dedicated Aks Service Accounts
- Ensure Kubernetes Secrets Are Encrypted
- Restrict Access Control Plane Endpoint
- Ensure Clusters Are Created With Private Endpoint Enabled And Public Access Disabled
- Ensure Clusters Are Created With Private Nodes
- Ensure Network Policy Is Enabled And Appropriate
- Encrypt Traffic Https Load Balancers With Tls Certificates
- Manage Kubernetes Rbac Users With Azure Ad
- Use Azure Rbac Kubernetes Authorization
- Restrict Untrusted Workloads
- Hostile Multi Tenant Workloads