View inspection items and solutions
Describe how to view inspection items and solutions.
This topic describes how to view inspection items and solutions on KubeSphere Cloud.
Alert severity: risky
NoCPULimits
Alert description: CPU limits are not set, so some malicious applications may occupy most available CPU resources, resulting in excessive resource consumption.
Solution: Set CPU limits for each container. For mission-critical or user-facing applications, for example, KubeEye, you are advised to set higher CPU limits.
Reference: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/.
Example
apiVersion: v1 kind: Pod metadata: name: demo spec: containers: - name: demo image: demo resources: requests: memory: "64Mi" cpu: "250m" limits: memory: "64Mi" cpu: "250m"
NoCPURequests
Alert description: CPU requests are not set.
Solution: Set CPU requests for each container. For mission-critical or user-facing applications, for example, KubeEye, you are advised to set the same value for the CPU limits and CPU requests to ensure that application resources are exclusive.
Reference: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/.
Example
apiVersion: v1 kind: Pod metadata: name: demo spec: containers: - name: demo image: demo resources: requests: memory: "64Mi" cpu: "250m" limits: memory: "64Mi" cpu: "250m"
HostNetworkAllowed
Alert description: The host network is enabled, so that a container is allowed to share its host's network namespace, access local network listeners, and leverage it to probe the host's local network.
Solution: Set hostNetwork to false.
Reference: https://kubernetes.io/docs/concepts/security/pod-security-policy/.
Example
apiVersion: v1 kind: Pod metadata: name: demo spec: hostNetwork: false
HostPIDAllowed
Alert description: When this value is enabled, containers in the same pod can share the same PID namespace. This will result in elevated privileges when ptrace is set to true.
Solution: Set hostPID to false.
Reference: https://kubernetes.io/docs/concepts/security/pod-security-policy/.
Example
apiVersion: v1 kind: Pod metadata: name: demo spec: hostPID: false
NotRunAsNonRoot
Alert description: If runAsNonRoot and runAsUser are not set in a pod,runAsNonRoot will be set to true. In this case, you are advised to set allowPrivilegeEscalation to false.
Solution: Set readOnlyRootFilesystem to true.
Reference: https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/.
Example
apiVersion: v1 kind: Pod metadata: name: demo spec: containers: - name: demo image: demo securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true
NoMemoryLimits
Alert description: Memory limits are not set, so some malicious applications may occupy most available memory resources.
Solution: Set memory limits for each container. For mission-critical or user-facing applications, for example, KubeEye, you are advised to set higher memory limits.
Reference: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/.
Example
apiVersion: v1 kind: Pod metadata: name: demo spec: containers: - name: demo image: demo resources: requests: memory: "64Mi" cpu: "250m" limits: memory: "64Mi" cpu: "250m"
NoMemoryRequests
Alert description: Memory requests are not set.
Solution: Set memory requests for each container. For mission-critical or user-facing applications, for example, KubeEye, you are advised to set the same value for the memory limits and memory requests to ensure that application resources are exclusive.
Reference: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/.
Example
apiVersion: v1 kind: Pod metadata: name: demo spec: containers: - name: demo image: demo resources: requests: memory: "64Mi" cpu: "250m" limits: memory: "64Mi" cpu: "250m"
PrivilegedAllowed
Alert description: In Linux, you can enable the privileged mode using the privileged
parameter for containers in the same pod. This parameter is useful for containers that require OS privileges.
Solution: Set allowPrivilegeEscalation to false.
Reference: https://kubernetes.io/docs/concepts/workloads/pods/.
Example
apiVersion: v1 kind: Pod metadata: name: demo spec: containers: - name: demo image: demo securityContext: allowPrivilegeEscalation: false
Alert severity: warning
ImagePullPolicyNotAlways
Alert description: Whenever the kubelet launches a container, it queries the container's image registry and resolves the name to an image digest. If the kubelet has a container image and its corresponding digest is already cached locally, the kubelet uses the cached image. Otherwise, the kubelet pulls the image with the resolved digest and uses that image to launch the container.
Solution: Set imagePullPolicy to Always.
Reference: https://kubernetes.io/docs/concepts/containers/images/.
Example
apiVersion: v1 kind: Pod metadata: name: demo spec: containers: - name: demo image: demo imagePullPolicy: Always
NotReadOnlyRootFilesystem
Alert description: Containers are required to run with the root file system mounted as read-only, meaning that writable layers are not allowed.
Solution: Set readOnlyRootFilesystem to true.
Reference: https://kubernetes.io/docs/concepts/security/pod-security-policy/.
Example
apiVersion: v1 kind: Pod metadata: name: demo spec: readOnlyRootFilesystem: true containers: - name: demo image: demo
InsecureCapabilities
Alert description: Enabling insecure capabilities results in elevated privileges of pods, for example, the KILL capability grants the container the ability to kill host processes.
Solution: Do not enable insecure capabilities, such as CHOWN, FSETID, SETFCAP, SETPCAP, and KILL.
Reference: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/.
Example
apiVersion: v1 kind: Pod metadata: name: demo spec: containers: - name: demo image: demo imagePullPolicy: Always
NoReadinessProbe
Alert description: Note that if readinessProbe is not set correctly, the number of processes in a container may keep increasing, which will potentially lead to resource exhaustion.
Solution: Set readinessProbe properly.
Reference: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/.
Example
apiVersion: v1 kind: Pod metadata: name: demo spec: containers: - name: demo image: demo readinessProbe: httpGet: path: /healthy port: 8080 initialDelaySeconds: 5 periodSeconds: 5
NoLivenessProbe
Alert description: livenessProbe is used to detect and handle the application damage status.
Solution: Set livenessProbe properly.
Reference: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/.
Example
apiVersion: v1 kind: Pod metadata: name: demo spec: containers: - name: demo image: demo livenessProbe: httpGet: path: /healthz port: 8080 initialDelaySeconds: 5 periodSeconds: 5
CanImpersonateUser
Alert description: A user can act as another user through impersonation headers. These let requests manually override the user info a request authenticates as. For example, an admin could use this feature to debug an authorization policy by temporarily impersonating another user and seeing if a request was denied.
Solution: Impersonating a user or group allows you to perform any action as if you were that user or group; for that reason, impersonation is not namespace scoped. If you want to allow impersonation using Kubernetes RBAC, this requires using a ClusterRole and a ClusterRoleBinding, not a Role and RoleBinding.
Reference: https://kubernetes.io/docs/reference/access-authn-authz/authentication/.
CanModifyWorkloads
Alert description: Users are allowed to create, modify, and delete workloads.
Solution: Check RBAC settings.
Reference: https://kubernetes.io/docs/reference/access-authn-authz/rbac/.
Example
apiVersion: v1 kind: Pod metadata: name: demo spec: containers: - name: demo image: demo securityContext: allowPrivilegeEscalation: false