Kubernetes Security Assessment Report

Cluster: dev-sec-burpsuite | Kubernetes: 1.33 | Scanned: 2026-05-20 18:30:06 UTC | Total Findings: 466

🛡 OWASP Kubernetes Top 10

Assessment based on the OWASP Kubernetes Top Ten framework | 17 findings, 191 affected resources

Critical

High

151

Medium

Info

Pass

Category	Risk	Findings	Worst Severity
K01	Insecure Workload Configurations	123 issue(s) / 4 finding(s)	CRITICAL
K02	Overly Permissive RBAC	1 issue(s) / 1 finding(s)	HIGH
K03	Secrets Management Failures	10 issue(s) / 3 finding(s)	MEDIUM
K04	Lack of Centralized Policy Enforcement	16 issue(s) / 2 finding(s)	CRITICAL
K05	Missing Network Segmentation	0 issue(s) / 1 finding(s)	PASS
K06	Overly Exposed Cluster Components	3 issue(s) / 2 finding(s)	MEDIUM
K07	Misconfigured Cluster Components	0 issue(s) / 0 finding(s)	PASS
K08	Cluster-to-Cloud Lateral Movement	6 issue(s) / 1 finding(s)	MEDIUM
K09	Broken Authentication Mechanisms	18 issue(s) / 2 finding(s)	MEDIUM
K10	Inadequate Logging and Monitoring	0 issue(s) / 1 finding(s)	PASS

K01: Insecure Workload Configurations

123 issue(s) / 4 finding(s)

CRITICALHost Path Mounts

9 pods mount host paths

Affected Resources

fluent-bit/dev-fluent-bit-4kzmb -> /var/log
fluent-bit/dev-fluent-bit-9wqsp -> /var/log
fluent-bit/dev-fluent-bit-dv8cq -> /var/log
fluent-bit/dev-fluent-bit-fndxz -> /var/log
fluent-bit/dev-fluent-bit-kbpxk -> /var/log
fluent-bit/dev-fluent-bit-lb5j9 -> /var/log
fluent-bit/dev-fluent-bit-s82rz -> /var/log
fluent-bit/dev-fluent-bit-vfs2w -> /var/log
fluent-bit/dev-fluent-bit-zl6fh -> /var/log

MEDIUMMissing readOnlyRootFilesystem

46 containers lack readOnlyRootFilesystem: true

Affected Resources

clamav/dev-clamav-7f99944445-sm6jh/clamd
clamav/dev-clamav-7f99944445-sm6jh/freshclam-init
fluent-bit/dev-fluent-bit-4kzmb/fluent-bit
fluent-bit/dev-fluent-bit-4kzmb/nats-publisher
fluent-bit/dev-fluent-bit-9wqsp/fluent-bit
fluent-bit/dev-fluent-bit-9wqsp/nats-publisher
fluent-bit/dev-fluent-bit-dv8cq/fluent-bit
fluent-bit/dev-fluent-bit-dv8cq/nats-publisher
fluent-bit/dev-fluent-bit-fndxz/fluent-bit
fluent-bit/dev-fluent-bit-fndxz/nats-publisher
fluent-bit/dev-fluent-bit-kbpxk/fluent-bit
fluent-bit/dev-fluent-bit-kbpxk/nats-publisher
fluent-bit/dev-fluent-bit-lb5j9/fluent-bit
fluent-bit/dev-fluent-bit-lb5j9/nats-publisher
fluent-bit/dev-fluent-bit-s82rz/fluent-bit
fluent-bit/dev-fluent-bit-s82rz/nats-publisher
fluent-bit/dev-fluent-bit-vfs2w/fluent-bit
fluent-bit/dev-fluent-bit-vfs2w/nats-publisher
fluent-bit/dev-fluent-bit-zl6fh/fluent-bit
fluent-bit/dev-fluent-bit-zl6fh/nats-publisher

MEDIUMMissing runAsNonRoot

45 containers lack runAsNonRoot: true

Affected Resources

clamav/dev-clamav-7f99944445-sm6jh/clamd
clamav/dev-clamav-7f99944445-sm6jh/freshclam-init
cnpg/cnpg-operator-cloudnative-pg-6b8754bf9b-2zr97/manager
fluent-bit/dev-fluent-bit-4kzmb/fluent-bit
fluent-bit/dev-fluent-bit-4kzmb/nats-publisher
fluent-bit/dev-fluent-bit-9wqsp/fluent-bit
fluent-bit/dev-fluent-bit-9wqsp/nats-publisher
fluent-bit/dev-fluent-bit-dv8cq/fluent-bit
fluent-bit/dev-fluent-bit-dv8cq/nats-publisher
fluent-bit/dev-fluent-bit-fndxz/fluent-bit
fluent-bit/dev-fluent-bit-fndxz/nats-publisher
fluent-bit/dev-fluent-bit-kbpxk/fluent-bit
fluent-bit/dev-fluent-bit-kbpxk/nats-publisher
fluent-bit/dev-fluent-bit-lb5j9/fluent-bit
fluent-bit/dev-fluent-bit-lb5j9/nats-publisher
fluent-bit/dev-fluent-bit-s82rz/fluent-bit
fluent-bit/dev-fluent-bit-s82rz/nats-publisher
fluent-bit/dev-fluent-bit-vfs2w/fluent-bit
fluent-bit/dev-fluent-bit-vfs2w/nats-publisher
fluent-bit/dev-fluent-bit-zl6fh/fluent-bit

MEDIUMMissing Resource Limits

23 containers have no resource limits/requests

Affected Resources

cnpg/cnpg-operator-cloudnative-pg-6b8754bf9b-2zr97/manager
external-dns/external-dns-6cbf69b969-658w4/external-dns
fluent-bit/dev-fluent-bit-4kzmb/fluent-bit
fluent-bit/dev-fluent-bit-9wqsp/fluent-bit
fluent-bit/dev-fluent-bit-dv8cq/fluent-bit
fluent-bit/dev-fluent-bit-fndxz/fluent-bit
fluent-bit/dev-fluent-bit-kbpxk/fluent-bit
fluent-bit/dev-fluent-bit-lb5j9/fluent-bit
fluent-bit/dev-fluent-bit-s82rz/fluent-bit
fluent-bit/dev-fluent-bit-vfs2w/fluent-bit
fluent-bit/dev-fluent-bit-zl6fh/fluent-bit
grafana/dev-grafana-5dbcfccc84-zm5jp/grafana-sc-dashboard
grafana/dev-grafana-5dbcfccc84-zm5jp/grafana-sc-datasources
grafana/dev-grafana-prometheus-server-755f57f586-8lfd7/prometheus-server-configmap-reload
nats/dev-nats-0/reloader
nats/dev-nats-1/reloader
nats/dev-nats-2/reloader
nats/dev-nats-box-5dbd879cd9-b8g5q/nats-box
nats/dev-nats-tower-0/setup-ca-trust
nats/dev-nats-tower-stream-init-sq66f/setup-ca-trust

K02: Overly Permissive RBAC

1 issue(s) / 1 finding(s)

HIGHCluster-Admin Bindings

1 bindings grant cluster-admin or equivalent

Affected Resources

cluster-admin -> Group/system:masters

K03: Secrets Management Failures

10 issue(s) / 3 finding(s)

MEDIUMCloud Provider Credentials in Secrets

10 secrets appear to contain cloud credentials

Affected Resources

argo-cd/argocd-repo-creds-ssh-creds
burpsuite/burpsuite-db-cnpg-backup-creds
cert-manager/rt53-creds
external-dns/rt53-creds
kube-system/openstack-cloud-config
kube-system/os-app-creds
kube-system/sh.helm.release.v1.openstack-ccm.v1
kube-system/sh.helm.release.v1.openstack-csi.v1
nats/dev-nats-tower-credentials
vector-aggregator/vector-aggregator-nats-creds

INFOSecret Inventory

139 secrets total, 89 Opaque type

PASSExternal Secrets Management Present

Found: clusterexternalsecrets.external-secrets.io, externalsecrets.external-secrets.io, vaultdynamicsecrets.generators.external-secrets.io

K04: Lack of Centralized Policy Enforcement

16 issue(s) / 2 finding(s)

CRITICALPod Security Admission Not Enforced

Only 1/17 application namespaces have PSA enforce labels

Affected Resources

princess-peach: restricted

INFOValidation Policies Found

10 policies with validate rules

Affected Resources

disallow-host-namespaces
disallow-host-path-volumes
disallow-host-ports
disallow-latest-tag
disallow-privilege-escalation
disallow-privileged-containers
require-drop-all-capabilities
require-readonly-rootfs
require-resource-limits
require-run-as-nonroot

K05: Missing Network Segmentation

0 issue(s) / 1 finding(s)

PASSNetwork Segmentation Present

K8s: 1, Cilium: 0+0, Istio: 0

K06: Overly Exposed Cluster Components

3 issue(s) / 2 finding(s)

MEDIUMLoadBalancer Services Exposed

3 services directly exposed via LoadBalancer

Affected Resources

nats/dev-nats (139.66.40.83)
nessus-manager/nessus-manager-agents (139.66.21.167)
nessus-scanner/tenable-nessus (139.66.13.154)

PASSAll Ingresses Use TLS

All 10 ingresses have TLS configured

K07: Misconfigured Cluster Components

0 issue(s) / 0 finding(s)

K08: Cluster-to-Cloud Lateral Movement

6 issue(s) / 1 finding(s)

MEDIUMCloud Credentials Accessible In-Cluster

6 secrets contain cloud provider credentials

Affected Resources

cert-manager/rt53-creds
external-dns/rt53-creds
kube-system/openstack-cloud-config
kube-system/os-app-creds
kube-system/sh.helm.release.v1.openstack-ccm.v1
kube-system/sh.helm.release.v1.openstack-csi.v1

K09: Broken Authentication Mechanisms

18 issue(s) / 2 finding(s)

MEDIUMDefault SA Auto-Mounts Tokens

17 namespaces have default SA with automountServiceAccountToken != false

Affected Resources

cilium-secrets
clamav
cnpg
default
external-dns
fluent-bit
grafana
kcm-system
nats
nessus-manager
nessus-scanner
pgadmin4
projectsveltos
splunk-operator
tenable
tenable-enclave
vector-aggregator

MEDIUMNo mTLS Enforcement

No Istio PeerAuthentication resources found

K10: Inadequate Logging and Monitoring

0 issue(s) / 1 finding(s)

PASSSecurity Monitoring Present

4/4 monitoring categories covered

Affected Resources

Runtime Security (Falco)
Log Collection (Vector/Fluentd/Fluentbit)
SIEM (Splunk/ELK)
Network Observability (Hubble)

🔎 CWE/SANS Top 25 (2025)

Assessment mapped from 2025 CWE Top 25 to Kubernetes controls | 13 findings, 132 affected resources

High

100

Medium

CWE Kubernetes Relevance Mapping

Rank	CWE ID	Weakness	K8s Relevance
1	CWE-79	XSS: Cross-site Scripting	High — WAF/ModSecurity at ingress layer
2	CWE-89	SQL Injection	High — Database service exposure, parameterized queries
3	CWE-352	Cross-Site Request Forgery (CSRF)	Medium — Ingress-level CSRF protection headers
4	CWE-862	Missing Authorization	Critical — RBAC — missing authorization on SA/roles
5	CWE-787	Out-of-bounds Write	Medium — Image vulnerability scanning (Trivy)
6	CWE-22	Path Traversal	Critical — hostPath mounts enable path traversal
7	CWE-416	Use After Free	Medium — Image vulnerability scanning (Trivy)
8	CWE-125	Out-of-bounds Read	Medium — Image vulnerability scanning (Trivy)
9	CWE-78	OS Command Injection	Critical — Command injection — readOnlyRootFS, runAsNonRoot
10	CWE-94	Code Injection	Critical — pods/exec RBAC = code injection vector
11	CWE-120	Classic Buffer Overflow	Low — Image vulnerability scanning (Trivy)
12	CWE-434	Unrestricted Upload of Dangerous File Type	Medium — readOnlyRootFilesystem, ephemeral storage
13	CWE-476	NULL Pointer Dereference	Low — Image vulnerability scanning (Trivy)
14	CWE-121	Stack-based Buffer Overflow	Low — Application-level
15	CWE-502	Deserialization of Untrusted Data	High — Deserialization — readOnlyRootFS, network policies
16	CWE-122	Heap-based Buffer Overflow	Low — Application-level
17	CWE-863	Incorrect Authorization	Critical — Broken access control — RBAC misconfig
18	CWE-20	Improper Input Validation	Low — Application-level
19	CWE-284	Improper Access Control	Critical — Improper access control — RBAC
20	CWE-200	Exposure of Sensitive Information	High — Env var exposure, secret protection
21	CWE-306	Missing Authentication for Critical Function	High — Missing authentication — Ingress auth annotations
22	CWE-918	Server-Side Request Forgery (SSRF)	High — SSRF — NetworkPolicy egress restrictions
23	CWE-77	Command Injection	Critical — Command injection — same as CWE-78
24	CWE-639	Authorization Bypass Through User-Controlled Key	Medium — SA token automount = authorization bypass vector
25	CWE-770	Allocation of Resources Without Limits	Critical — Resource limits prevent DoS

CWE Detailed Findings

132 affected resource(s) / 13 finding(s)

HIGHCWE-22: Pods with hostPath volume mounts (Path Traversal risk)

27 pod(s) mount host filesystem paths. A compromised container could traverse the host filesystem.

Affected Resources

fluent-bit/dev-fluent-bit-4kzmb mounts hostPath=/var/log
fluent-bit/dev-fluent-bit-4kzmb mounts hostPath=/var/lib/docker/containers
fluent-bit/dev-fluent-bit-4kzmb mounts hostPath=/etc/machine-id
fluent-bit/dev-fluent-bit-9wqsp mounts hostPath=/var/log
fluent-bit/dev-fluent-bit-9wqsp mounts hostPath=/var/lib/docker/containers
fluent-bit/dev-fluent-bit-9wqsp mounts hostPath=/etc/machine-id
fluent-bit/dev-fluent-bit-dv8cq mounts hostPath=/var/log
fluent-bit/dev-fluent-bit-dv8cq mounts hostPath=/var/lib/docker/containers
fluent-bit/dev-fluent-bit-dv8cq mounts hostPath=/etc/machine-id
fluent-bit/dev-fluent-bit-fndxz mounts hostPath=/var/log
fluent-bit/dev-fluent-bit-fndxz mounts hostPath=/var/lib/docker/containers
fluent-bit/dev-fluent-bit-fndxz mounts hostPath=/etc/machine-id
fluent-bit/dev-fluent-bit-kbpxk mounts hostPath=/var/log
fluent-bit/dev-fluent-bit-kbpxk mounts hostPath=/var/lib/docker/containers
fluent-bit/dev-fluent-bit-kbpxk mounts hostPath=/etc/machine-id
fluent-bit/dev-fluent-bit-lb5j9 mounts hostPath=/var/log
fluent-bit/dev-fluent-bit-lb5j9 mounts hostPath=/var/lib/docker/containers
fluent-bit/dev-fluent-bit-lb5j9 mounts hostPath=/etc/machine-id
fluent-bit/dev-fluent-bit-s82rz mounts hostPath=/var/log
fluent-bit/dev-fluent-bit-s82rz mounts hostPath=/var/lib/docker/containers
fluent-bit/dev-fluent-bit-s82rz mounts hostPath=/etc/machine-id
fluent-bit/dev-fluent-bit-vfs2w mounts hostPath=/var/log
fluent-bit/dev-fluent-bit-vfs2w mounts hostPath=/var/lib/docker/containers
fluent-bit/dev-fluent-bit-vfs2w mounts hostPath=/etc/machine-id
fluent-bit/dev-fluent-bit-zl6fh mounts hostPath=/var/log
fluent-bit/dev-fluent-bit-zl6fh mounts hostPath=/var/lib/docker/containers
fluent-bit/dev-fluent-bit-zl6fh mounts hostPath=/etc/machine-id

HIGHCWE-94: ClusterRoles allowing pod exec/attach (Code Injection vector)

5 ClusterRole(s) grant pods/exec or pods/attach create access, enabling code injection into running containers.

Affected Resources

ClusterRole/admin
ClusterRole/cnpg-operator-cloudnative-pg
ClusterRole/edit
ClusterRole/splunk-operator-manager-role
ClusterRole/system:aggregate-to-edit

MEDIUMCWE-79: Ingresses without WAF/ModSecurity protection

10 ingress(es) expose web applications without WAF annotations (ModSecurity/OWASP CRS). XSS attacks against exposed web apps are not mitigated at the ingress layer.

Affected Resources

argo-cd/argo-cd-argocd-server
burpsuite/bsee-ingress
grafana/dev-grafana
nats/dev-nats-tower
nessus-manager/nessus-manager-ui
pgadmin4/dev-pgadmin4
princess-peach/princess-peach
splunk/shc-dev-ingress
tenable-enclave/dev-tenable-enclave-tes-operator
vector-aggregator/dev-vector-aggregator

MEDIUMCWE-78/CWE-77: Containers without readOnlyRootFilesystem or runAsNonRoot

30 container(s) run without readOnlyRootFilesystem AND runAsNonRoot. If command injection is exploited, attackers gain writable root filesystem access as root user.

Affected Resources

fluent-bit/dev-fluent-bit-4kzmb/fluent-bit
fluent-bit/dev-fluent-bit-4kzmb/nats-publisher
fluent-bit/dev-fluent-bit-9wqsp/fluent-bit
fluent-bit/dev-fluent-bit-9wqsp/nats-publisher
fluent-bit/dev-fluent-bit-dv8cq/fluent-bit
fluent-bit/dev-fluent-bit-dv8cq/nats-publisher
fluent-bit/dev-fluent-bit-fndxz/fluent-bit
fluent-bit/dev-fluent-bit-fndxz/nats-publisher
fluent-bit/dev-fluent-bit-kbpxk/fluent-bit
fluent-bit/dev-fluent-bit-kbpxk/nats-publisher
fluent-bit/dev-fluent-bit-lb5j9/fluent-bit
fluent-bit/dev-fluent-bit-lb5j9/nats-publisher
fluent-bit/dev-fluent-bit-s82rz/fluent-bit
fluent-bit/dev-fluent-bit-s82rz/nats-publisher
fluent-bit/dev-fluent-bit-vfs2w/fluent-bit
fluent-bit/dev-fluent-bit-vfs2w/nats-publisher
fluent-bit/dev-fluent-bit-zl6fh/fluent-bit
fluent-bit/dev-fluent-bit-zl6fh/nats-publisher
nats/dev-nats-0/nats
nats/dev-nats-0/reloader
nats/dev-nats-1/nats
nats/dev-nats-1/reloader
nats/dev-nats-2/nats
nats/dev-nats-2/reloader
nats/dev-nats-box-5dbd879cd9-b8g5q/nats-box
nats/dev-nats-tower-0/nats-tower
nats/dev-nats-tower-stream-init-sq66f/stream-init
nessus-manager/nessus-manager-0/nessus-manager
nessus-scanner/nessus-7d59669dd7-bsdtv/securitycenter
pgadmin4/dev-pgadmin4-7c99f47cc8-xq7mt/pgadmin4

MEDIUMCWE-306: Ingresses without authentication annotations

9 ingress(es) have no external authentication configured (auth-url, auth-signin, etc).

Affected Resources

argo-cd/argo-cd-argocd-server (argo.security.sci-dev.scs.sap)
burpsuite/bsee-ingress (burpsuite.security.sci-dev.scs.sap)
grafana/dev-grafana (security-dashboard.security.sci-dev.scs.sap)
nats/dev-nats-tower (nats-tower.security.sci-dev.scs.sap)
nessus-manager/nessus-manager-ui (nessus.security.sci-dev.scs.sap)
pgadmin4/dev-pgadmin4 (pgadmin4.security.sci-dev.scs.sap)
princess-peach/princess-peach (princess-peach.never.security.sci-dev.scs.sap)
splunk/shc-dev-ingress (splunk.security.sci-dev.scs.sap)
tenable-enclave/dev-tenable-enclave-tes-operator (tenable-enclave.security.sci-dev.scs.sap)

MEDIUMCWE-918: Insufficient network policies to prevent SSRF

Only 1 NetworkPolicy(ies) across 33 namespaces. Pods can reach cloud metadata endpoints (169.254.169.254) and internal services, enabling SSRF attacks.

MEDIUMCWE-770: Containers without resource limits (DoS risk)

19 container(s) have no resource limits. A runaway process could exhaust node resources (Denial of Service).

Affected Resources

cnpg/cnpg-operator-cloudnative-pg-6b8754bf9b-2zr97/manager
external-dns/external-dns-6cbf69b969-658w4/external-dns
fluent-bit/dev-fluent-bit-4kzmb/fluent-bit
fluent-bit/dev-fluent-bit-9wqsp/fluent-bit
fluent-bit/dev-fluent-bit-dv8cq/fluent-bit
fluent-bit/dev-fluent-bit-fndxz/fluent-bit
fluent-bit/dev-fluent-bit-kbpxk/fluent-bit
fluent-bit/dev-fluent-bit-lb5j9/fluent-bit
fluent-bit/dev-fluent-bit-s82rz/fluent-bit
fluent-bit/dev-fluent-bit-vfs2w/fluent-bit
fluent-bit/dev-fluent-bit-zl6fh/fluent-bit
grafana/dev-grafana-5dbcfccc84-zm5jp/grafana-sc-dashboard
grafana/dev-grafana-5dbcfccc84-zm5jp/grafana-sc-datasources
grafana/dev-grafana-prometheus-server-755f57f586-8lfd7/prometheus-server-configmap-reload
nats/dev-nats-0/reloader
nats/dev-nats-1/reloader
nats/dev-nats-2/reloader
nats/dev-nats-box-5dbd879cd9-b8g5q/nats-box
pgadmin4/dev-pgadmin4-7c99f47cc8-xq7mt/pgadmin4

INFOCWE-79/CWE-89/CWE-352: Application-layer injection/CSRF weaknesses

XSS, SQL Injection, and CSRF are primarily application-code vulnerabilities. Mitigation: Use WAFs at the ingress layer, keep container images updated, run vulnerability scanners on application code.

INFOCWE-787/CWE-416/CWE-125/CWE-120/CWE-121/CWE-122/CWE-476: Memory safety weaknesses (C/C++ binary vulnerabilities)

Out-of-bounds Write/Read, Use After Free, Buffer Overflows, and NULL Pointer Dereference are binary-level vulnerabilities. Mitigation: Use container image vulnerability scanners (Trivy, Grype) to detect known CVEs in base images. Apply readOnlyRootFilesystem and drop all capabilities to limit exploit impact.

INFOCWE-434: Unrestricted file upload

Applies to web applications allowing file uploads. Mitigation: readOnlyRootFilesystem, ephemeral container storage, and network policies limit post-exploitation impact.

INFOTrivy VulnerabilityReports not available

aquasecurity.github.io CRDs not installed. Consider deploying Trivy Operator for image vulnerability scanning.

PASSCWE-89: No database services directly exposed

All database services use ClusterIP (internal only).

PASSCWE-200: No plain-text secrets detected in environment variables

All sensitive env vars use secretKeyRef or are absent.

🌏 NIST Cybersecurity Framework (CSF) 2.0

Assessment mapped to NIST CSF 2.0 (Feb 2024) — 6 Functions, 22 Categories, 106 Subcategories. 12 findings, 183 affected resources

Medium

High

Medium

101

Info

CSF 2.0 Function Mapping

Function	ID	Focus Area	K8s Controls
GOVERN	GV	Organizational context, risk strategy, supply chain	Kyverno policies, namespace labels, image registries
IDENTIFY	ID	Asset management, risk assessment	Resource inventory, vulnerability scanning
PROTECT	PR	Access control, data security, platform security	RBAC, PSA, Secrets, resource limits
DETECT	DE	Continuous monitoring, adverse events	Falco, Vector/Splunk logging
RESPOND	RS	Incident management, analysis	NetworkPolicies for containment
RECOVER	RC	Recovery planning	Backup CronJobs, Velero

CSF 2.0 Detailed Findings

12 finding(s)

HIGH ID.RA - No Vulnerability Scanning

No Trivy/Grype operator detected

HIGH PR.PS - Pod Security Standards Not Enforced

17/17 application namespaces lack PSA enforce labels

cilium-secrets
clamav
cnpg
default
external-dns
fluent-bit
grafana
kcm-system
nats
nessus-manager
nessus-scanner
pgadmin4
projectsveltos
splunk-operator
tenable
tenable-enclave
vector-aggregator

MEDIUM GV.RM - Policies in Audit Only

12 policies exist but none enforce

cnpg-burpsuite-db-pod-policy
disallow-host-namespaces
disallow-host-path-volumes
disallow-host-ports
disallow-latest-tag
disallow-privilege-escalation
disallow-privileged-containers
kube-env-policy
require-drop-all-capabilities
require-readonly-rootfs
require-resource-limits
require-run-as-nonroot

MEDIUM PR.IR - Containers Without Resource Limits

19 containers lack limits

cnpg/cnpg-operator-cloudnative-pg-6b8754bf9b-2zr97/manager
external-dns/external-dns-6cbf69b969-658w4/external-dns
fluent-bit/dev-fluent-bit-4kzmb/fluent-bit
fluent-bit/dev-fluent-bit-9wqsp/fluent-bit
fluent-bit/dev-fluent-bit-dv8cq/fluent-bit
fluent-bit/dev-fluent-bit-fndxz/fluent-bit
fluent-bit/dev-fluent-bit-kbpxk/fluent-bit
fluent-bit/dev-fluent-bit-lb5j9/fluent-bit
fluent-bit/dev-fluent-bit-s82rz/fluent-bit
fluent-bit/dev-fluent-bit-vfs2w/fluent-bit
fluent-bit/dev-fluent-bit-zl6fh/fluent-bit
grafana/dev-grafana-5dbcfccc84-zm5jp/grafana-sc-dashboard
grafana/dev-grafana-5dbcfccc84-zm5jp/grafana-sc-datasources
grafana/dev-grafana-prometheus-server-755f57f586-8lfd7/prometheus-server-configmap-reload
nats/dev-nats-0/reloader
nats/dev-nats-1/reloader
nats/dev-nats-2/reloader
nats/dev-nats-box-5dbd879cd9-b8g5q/nats-box
pgadmin4/dev-pgadmin4-7c99f47cc8-xq7mt/pgadmin4

MEDIUM RS.MA - Insufficient Network Isolation

Only 1 NetworkPolicies for containment

pgadmin4/dev-pgadmin4

MEDIUM RC.RP - No Backup Jobs

No backup/snapshot CronJobs found

INFO GV.SC - Container Image Registries

12 registries: clamav, cr.fluentbit.io, docker.io, ecr-public.aws.com, ghcr.io, natsio, nginxinc, public.ecr.aws, quay.io, registry.k8s.io

clamav
cr.fluentbit.io
docker.io
ecr-public.aws.com
ghcr.io
natsio
nginxinc
public.ecr.aws
quay.io
registry.k8s.io
tenable
timberio

INFO PR.DS - Secrets Inventory

89 Opaque secrets. Verify encryption at rest.

argo-cd/argocd-initial-admin-secret
argo-cd/argocd-notifications-secret
argo-cd/argocd-redis
argo-cd/argocd-repo-creds-ssh-creds
argo-cd/argocd-repo-git-repo
argo-cd/argocd-repo-keppel-helm-repo
argo-cd/argocd-secret
argo-cd/cluster-ca-bundle
argo-cd/repo-sci-security
burpsuite/burpsuite-db-cnpg-backup-creds
burpsuite/cluster-ca-bundle
burpsuite/cnpg-burpsuite-db-cluster-ca
burpsuite/dev-burpsuite-enterprise-server-secret
burpsuite/dev-burpsuite-relay-shared-secret
burpsuite/dev-burpsuite-scanning-shared-secret
burpsuite/dev-burpsuite-web-server-secret
cert-manager/cert-manager-webhook-ca
cert-manager/cluster-ca-bundle
cert-manager/cluster-ca-crt-bundle
cert-manager/rt53-creds

PASS ID.AM - Asset Inventory

15 nodes, 191 pods, 76 services, 33 namespaces

PASS PR.AA - RBAC Reviewed

No non-system SAs bound to admin roles

PASS DE.CM - Runtime Monitoring Active

Falco on 13 nodes

dev-falco-2nkw2
dev-falco-7rgfx
dev-falco-c8zfk
dev-falco-falcosidekick-6bf9c5646b-dmcs8
dev-falco-falcosidekick-6bf9c5646b-f4h22
dev-falco-fv5h8
dev-falco-k2bjv
dev-falco-l2jgx
dev-falco-ldwt7
dev-falco-m9q6r

PASS DE.AE - Log Collection Active

9 log collector pods

dev-vector-aggregator-0
dev-vector-4rplh
dev-vector-5gd6c
dev-vector-5hpbc
dev-vector-769nm
dev-vector-8l5nf
dev-vector-bsn6q
dev-vector-pfpkj
dev-vector-tvxn5

📜 NIST SP 800-53 Rev 5

Assessment mapped to NIST SP 800-53 Rev 5 — 20 Control Families, 1000+ Controls. 12 findings, 150 affected resources

High

Critical

High

Medium

Info

Assessed Control Families

Family	ID	Controls	K8s Implementation
Access Control	AC	AC-3, AC-6	RBAC, SA tokens, privileged containers
Audit & Accountability	AU	AU-2, AU-3, AU-6	Logging, runtime audit (Falco)
Security Assessment	CA	CA-2	PolicyReports, compliance scanning
Config Management	CM	CM-2, CM-7	ResourceQuotas, hostNetwork
Identification & Auth	IA	IA-5	Default SA automount
System & Comms Protection	SC	SC-7, SC-8, SC-28	NetworkPolicies, TLS, Secrets
System & Info Integrity	SI	SI-2, SI-4	Vuln scanning, monitoring

SP 800-53 Detailed Findings

12 finding(s)

CRITICAL SC-7 Boundary Protection: Missing NetworkPolicies

16/33 namespaces lack policies

cilium-secrets
clamav
cnpg
default
external-dns
fluent-bit
grafana
kcm-system
nats
nessus-manager
nessus-scanner
projectsveltos
splunk-operator
tenable
tenable-enclave
vector-aggregator

HIGH SI-2 Flaw Remediation: No Vuln Scanning

No Trivy operator detected

MEDIUM AC-3 Access Enforcement: SA Token Auto-Mount

26 app pods auto-mount SA tokens

clamav/dev-clamav-7f99944445-sm6jh
cnpg/cnpg-operator-cloudnative-pg-6b8754bf9b-2zr97
external-dns/external-dns-6cbf69b969-658w4
fluent-bit/dev-fluent-bit-4kzmb
fluent-bit/dev-fluent-bit-9wqsp
fluent-bit/dev-fluent-bit-dv8cq
fluent-bit/dev-fluent-bit-fndxz
fluent-bit/dev-fluent-bit-kbpxk
fluent-bit/dev-fluent-bit-lb5j9
fluent-bit/dev-fluent-bit-s82rz
fluent-bit/dev-fluent-bit-vfs2w
fluent-bit/dev-fluent-bit-zl6fh
grafana/dev-grafana-5dbcfccc84-zm5jp
grafana/dev-grafana-prometheus-server-755f57f586-8lfd7
nats/dev-nats-0
nats/dev-nats-1
nats/dev-nats-2
nats/dev-nats-box-5dbd879cd9-b8g5q
nats/dev-nats-tower-0
nats/dev-nats-tower-stream-init-sq66f

MEDIUM IA-5 Authenticator Mgmt: Default SA Auto-Mount

17 namespaces with default SA automount

cilium-secrets
clamav
cnpg
default
external-dns
fluent-bit
grafana
kcm-system
nats
nessus-manager
nessus-scanner
pgadmin4
projectsveltos
splunk-operator
tenable
tenable-enclave
vector-aggregator

INFO AC - RBAC Overview

104 CRBs, 1 admin/cluster-admin

cluster-admin

INFO SC-28 Info at Rest: Secrets

89 Opaque secrets. Verify etcd encryption.

PASS AU-2/AU-3 Audit Events: Logging Active

20 log/SIEM pods

splunk-operator-controller-manager-f99856648-ft2s5
splunk-cm-dev-cluster-manager-0
splunk-idxc-dev-indexer-0
splunk-idxc-dev-indexer-1
splunk-idxc-dev-indexer-2
splunk-lm-dev-license-manager-0
splunk-mc-dev-monitoring-console-0
splunk-shc-dev-deployer-0
splunk-shc-dev-search-head-0
splunk-shc-dev-search-head-1

PASS AU-6 Audit Review: Runtime Security

Falco on 13 nodes

dev-falco-2nkw2
dev-falco-7rgfx
dev-falco-c8zfk
dev-falco-falcosidekick-6bf9c5646b-dmcs8
dev-falco-falcosidekick-6bf9c5646b-f4h22
dev-falco-fv5h8
dev-falco-k2bjv
dev-falco-l2jgx
dev-falco-ldwt7
dev-falco-m9q6r

PASS CA-2 Security Assessments: Policy Reports

1 ClusterPolicyReports

PASS CM-2 Baseline Config: ResourceQuotas

12 defined

PASS SC-8 Transmission Confidentiality: TLS OK

All 10 ingresses use TLS

PASS SI-4 System Monitoring: Active

4 monitoring pods

dev-grafana-5dbcfccc84-zm5jp
dev-grafana-prometheus-server-755f57f586-8lfd7
hubble-relay-698fcf6457-tzj68
hubble-ui-77d4cd6ff5-g6k47

⏱ Runtime Security

Live runtime analysis of running workloads, pod health, container states, and security agent status. 10 findings, 22 affected resources

Good

High

Medium

Low

Info

Runtime Check Categories

Check	ID	Description	Severity
Crashlooping	RT01	Containers with 5+ restarts	HIGH
OOMKilled	RT02	Containers terminated by OOM	HIGH
Pod State	RT03	Pods in Failed/Unknown phase	MEDIUM
Image Tags	RT04	Running :latest or untagged images	MEDIUM
Health Probes	RT05	Missing liveness/readiness probes	MEDIUM
Ephemeral	RT06	Active debug containers	MEDIUM
Stale Pods	RT07	Running 90+ days without restart	LOW
K8s Events	RT08	Warning events in last hour	INFO
Pull Policy	RT09	IfNotPresent with mutable tags	MEDIUM
Security Agent	RT10	Falco/Tetragon status	HIGH
Unready Pods	RT11	Not ready for 5+ minutes	MEDIUM
Replica Drift	RT12	Available < desired replicas	MEDIUM

Runtime Security Detailed Findings

10 finding(s)

HIGH Crashlooping Containers

2 container(s) have 5+ restarts, indicating instability or repeated failure

splunk-operator/splunk-operator-controller-manager-f99856648-ft2s5/manager (restarts=9)
vector-aggregator/dev-vector-aggregator-0/vector (restarts=13)

HIGH OOMKilled Containers

2 container(s) were recently OOMKilled - possible memory exhaustion

nats/dev-nats-0/nats
nats/dev-nats-1/nats

HIGH Runtime Security Agent Unhealthy

1 Falco pod(s) are not in Running state

falco/dev-falco-927gc (phase=Pending)

MEDIUM Running Containers Without Health Probes

7 running container(s) lack both liveness and readiness probes

grafana/dev-grafana-5dbcfccc84-zm5jp/grafana-sc-dashboard
grafana/dev-grafana-5dbcfccc84-zm5jp/grafana-sc-datasources
nats/dev-nats-0/reloader
nats/dev-nats-1/reloader
nats/dev-nats-2/reloader
nats/dev-nats-box-5dbd879cd9-b8g5q/nats-box
tenable-enclave/dev-tenable-enclave-tes-operator-64b66f65b-d6snj/tes-operator

MEDIUM Pods Not Ready for Extended Period

1 pod(s) have been in not-ready state for 5+ minutes

vector-aggregator/dev-vector-aggregator-0 (unready 120m)

MEDIUM Deployment Replica Drift

1 deployment(s) have fewer available replicas than desired

clamav/dev-clamav (desired=1, available=0)

LOW Stale Long-Running Pods

1 pod(s) running 90+ days without restart

projectsveltos/sveltos-agent-manager-74fb58c4db-2tt6q (age=109d)

INFO Recent Warning Events

7 warning event(s) in the last hour

clamav/dev-clamav-7f99944445-sm6jh: BackOff - Back-off restarting failed container freshclam-init in pod dev-clamav-7f99944445
default/test-config: UpdateFailed - error processing spec.data[0] (key: products/security/dev/environment/test-confi
-/vault-backend: InvalidProviderConfig - invalid vault credentials: Error making API request. URL: GET https://vault.sms
nats/dev-nats-tower-0: FailedMount - MountVolume.SetUp failed for volume "nats-ca" : secret "nats-ca-cert" not found
nats/dev-nats-tower-stream-init-sq66f: FailedMount - MountVolume.SetUp failed for volume "nats-creds-btp-nats-token" : secret "btp-na
vector-aggregator/dev-vector-aggregator-0: Failed - Error: secret "vector-splunk-hec-token" not found
vector-aggregator/dev-vector-aggregator-0: BackOff - Back-off restarting failed container vector in pod dev-vector-aggregator-0_vecto

PASS All Running Images Use Pinned Tags

No running containers use :latest or untagged images

PASS No Ephemeral Containers Detected

No pods have ephemeral debug containers attached