Skip to content

ClusterComplianceReport

The ClusterComplianceReport is a cluster-scoped resource, which represents the latest compliance control checks results. The report spec defines a mapping between pre-defined compliance control check ids to security scanners check ids. Currently, only kube-bench and config-audit security scanners are supported.

The NSA compliance report is composed of two parts:

  • spec: represents the compliance control checks specification, check details, and the mapping to the security scanner (this part is defined by the user)
  • status: represents the compliance control checks (as defined by spec mapping) results extracted from the security scanners reports (this part is output by trivy-operator)

The following shows a sample ClusterComplianceReport NSA specification associated with the cluster:

apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceReport
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: ''
  creationTimestamp: '2022-03-27T07:03:29Z'
  generation: 2
  labels:
    app.kubernetes.io/instance: trivy-operator
    app.kubernetes.io/managed-by: kubectl
    app.kubernetes.io/name: trivy-operator
    app.kubernetes.io/version: 0.0.1
  name: nsa
  resourceVersion: '15745'
  uid: d11e8af1-daac-457d-96ea-45be4b043814
spec:
  controls:
    - description: Check that container is not running as root
      id: '1.0'
      kinds:
        - Workload
      mapping:
        checks:
          - id: KSV012
        scanner: config-audit
      name: Non-root containers
      severity: MEDIUM
    - description: Check that container root file system is immutable
      id: '1.1'
      kinds:
        - Workload
      mapping:
        checks:
          - id: KSV014
        scanner: config-audit
      name: Immutable container file systems
      severity: LOW
    - description: Controls whether Pods can run privileged containers
      id: '1.2'
      kinds:
        - Workload
      mapping:
        checks:
          - id: KSV017
        scanner: config-audit
      name: Preventing privileged containers
      severity: HIGH
    - description: Controls whether containers can share process namespaces
      id: '1.3'
      kinds:
        - Workload
      mapping:
        checks:
          - id: KSV008
        scanner: config-audit
      name: Share containers process namespaces
      severity: HIGH
    - description: Controls whether share host process namespaces
      id: '1.4'
      kinds:
        - Workload
      mapping:
        checks:
          - id: KSV009
        scanner: config-audit
      name: Share host process namespaces.
      severity: HIGH
    - description: Controls whether containers can use the host network
      id: '1.5'
      kinds:
        - Workload
      mapping:
        checks:
          - id: KSV010
        scanner: config-audit
      name: use the host network
      severity: HIGH
    - description: Controls whether container applications can run with root privileges
        or with root group membership
      id: '1.6'
      kinds:
        - Workload
      mapping:
        checks:
          - id: KSV029
        scanner: config-audit
      name: Run with root privileges or with root group membership
      severity: LOW
    - description: Control check restrictions escalation to root privileges
      id: '1.7'
      kinds:
        - Workload
      mapping:
        checks:
          - id: KSV001
        scanner: config-audit
      name: Restricts escalation to root privileges
      severity: MEDIUM
    - description: Control checks if pod sets the SELinux context of the container
      id: '1.8'
      kinds:
        - Workload
      mapping:
        checks:
          - id: KSV002
        scanner: config-audit
      name: Sets the SELinux context of the container
      severity: MEDIUM
    - description: Control checks the restriction of containers access to resources
        with AppArmor
      id: '1.9'
      kinds:
        - Workload
      mapping:
        checks:
          - id: KSV030
        scanner: config-audit
      name: Restrict a container's access to resources with AppArmor
      severity: MEDIUM
    - description: Control checks the sets the seccomp profile used to sandbox containers
      id: '1.10'
      kinds:
        - Workload
      mapping:
        checks:
          - id: KSV030
        scanner: config-audit
      name: Sets the seccomp profile used to sandbox containers.
      severity: LOW
    - description: 'Control check whether disable secret token been mount ,automountServiceAccountToken:
      false'
      id: '1.11'
      kinds:
        - Workload
      mapping:
        checks:
          - id: KSV036
        scanner: config-audit
      name: Protecting Pod service account tokens
      severity: MEDIUM
    - defaultStatus: FAIL
      description: Control check whether Namespace kube-system is not be used by users
      id: '1.12'
      kinds:
        - NetworkPolicy
      mapping:
        checks:
          - id: KSV037
        scanner: config-audit
      name: Namespace kube-system should not be used by users
      severity: MEDIUM
    - defaultStatus: FAIL
      description: Control check validate the pod and/or namespace Selectors usage
      id: '2.0'
      kinds:
        - NetworkPolicy
      mapping:
        checks:
          - id: KSV038
        scanner: config-audit
      name: Pod and/or namespace Selectors usage
      severity: MEDIUM
    - description: "Control check whether check cni plugin installed\t"
      id: '3.0'
      kinds:
        - Node
      mapping:
        checks:
          - id: 5.3.1
        scanner: kube-bench
      name: Use CNI plugin that supports NetworkPolicy API
      severity: CRITICAL
    - defaultStatus: FAIL
      description: Control check the use of ResourceQuota policy to limit aggregate
        resource usage within namespace
      id: '4.0'
      kinds:
        - ResourceQuota
      mapping:
        checks:
          - id: KSV040
        scanner: config-audit
      name: Use ResourceQuota policies to limit resources
      severity: MEDIUM
    - defaultStatus: FAIL
      description: Control check the use of LimitRange policy limit resource usage for
        namespaces or nodes
      id: '4.1'
      kinds:
        - ResourceQuota
      mapping:
        checks:
          - id: KSV039
        scanner: config-audit
      name: Use LimitRange policies to limit resources
      severity: MEDIUM
    - description: Control check whether control plan disable insecure port
      id: '5.0'
      kinds:
        - Node
      mapping:
        checks:
          - id: 1.2.19
        scanner: kube-bench
      name: Control plan disable insecure port
      severity: CRITICAL
    - description: Control check whether etcd communication is encrypted
      id: '5.1'
      kinds:
        - Node
      mapping:
        checks:
          - id: '2.1'
        scanner: kube-bench
      name: Encrypt etcd communication
      severity: CRITICAL
    - description: Control check whether kube config file permissions
      id: '6.0'
      kinds:
        - Node
      mapping:
        checks:
          - id: 4.1.3
          - id: 4.1.4
        scanner: kube-bench
      name: Ensure kube config file permission
      severity: CRITICAL
    - description: Control checks whether encryption resource has been set
      id: '6.1'
      kinds:
        - Node
      mapping:
        checks:
          - id: 1.2.31
          - id: 1.2.32
        scanner: kube-bench
      name: Check that encryption resource has been set
      severity: CRITICAL
    - description: Control checks whether encryption provider has been set
      id: '6.2'
      kinds:
        - Node
      mapping:
        checks:
          - id: 1.2.3
        scanner: kube-bench
      name: Check encryption provider
      severity: CRITICAL
    - description: Control checks whether anonymous-auth is unset
      id: '7.0'
      kinds:
        - Node
      mapping:
        checks:
          - id: 1.2.1
        scanner: kube-bench
      name: Make sure anonymous-auth is unset
      severity: CRITICAL
    - description: Control check whether RBAC permission is in use
      id: '7.1'
      kinds:
        - Node
      mapping:
        checks:
          - id: 1.2.7
          - id: 1.2.8
        scanner: kube-bench
      name: Make sure -authorization-mode=RBAC
      severity: CRITICAL
    - description: Control check whether audit policy is configure
      id: '8.0'
      kinds:
        - Node
      mapping:
        checks:
          - id: 3.2.1
        scanner: kube-bench
      name: Audit policy is configure
      severity: HIGH
    - description: Control check whether audit log path is configure
      id: '8.1'
      kinds:
        - Node
      mapping:
        checks:
          - id: 1.2.22
        scanner: kube-bench
      name: Audit log path is configure
      severity: MEDIUM
    - description: Control check whether audit log aging is configure
      id: '8.2'
      kinds:
        - Node
      mapping:
        checks:
          - id: 1.2.23
        scanner: kube-bench
      name: Audit log aging
      severity: MEDIUM
  cron: "* * * * *"
  description: National Security Agency - Kubernetes Hardening Guidance
  name: nsa
  version: '1.0'
status:
  controlCheck:
    - description: Controls whether Pods can run privileged containers
      failTotal: 0
      id: '1.2'
      name: Preventing privileged containers
      passTotal: 11
      severity: HIGH
    - description: Controls whether containers can share process namespaces
      failTotal: 0
      id: '1.3'
      name: Share containers process namespaces
      passTotal: 11
      severity: HIGH
    - description: Control checks whether anonymous-auth is unset
      failTotal: 0
      id: '7.0'
      name: Make sure anonymous-auth is unset
      passTotal: 0
      severity: CRITICAL
    - description: Control check restrictions escalation to root privileges
      failTotal: 6
      id: '1.7'
      name: Restricts escalation to root privileges
      passTotal: 5
      severity: MEDIUM
    - description: Control checks the restriction of containers access to resources
        with AppArmor
      failTotal: 0
      id: '1.9'
      name: Restrict a container's access to resources with AppArmor
      passTotal: 11
      severity: MEDIUM
    - description: Check that container is not running as root
      failTotal: 9
      id: '1.0'
      name: Non-root containers
      passTotal: 2
      severity: MEDIUM
    - description: Controls whether share host process namespaces
      failTotal: 0
      id: '1.4'
      name: Share host process namespaces.
      passTotal: 11
      severity: HIGH
    - description: Control checks whether encryption resource has been set
      failTotal: 0
      id: '6.1'
      name: Check that encryption resource has been set
      passTotal: 1
      severity: CRITICAL
    - description: "Control check whether check cni plugin installed\t"
      failTotal: 0
      id: '3.0'
      name: Use CNI plugin that supports NetworkPolicy API
      passTotal: 1
      severity: CRITICAL
    - description: Control check the use of ResourceQuota policy to limit aggregate
        resource usage within namespace
      failTotal: 1
      id: '4.0'
      name: Use ResourceQuota policies to limit resources
      passTotal: 0
      severity: MEDIUM
    - description: Control check whether kube config file permissions
      failTotal: 0
      id: '6.0'
      name: Ensure kube config file permission
      passTotal: 1
      severity: CRITICAL
    - description: Control checks whether encryption provider has been set
      failTotal: 0
      id: '6.2'
      name: Check encryption provider
      passTotal: 1
      severity: CRITICAL
    - description: Control check whether RBAC permission is in use
      failTotal: 0
      id: '7.1'
      name: Make sure -authorization-mode=RBAC
      passTotal: 0
      severity: CRITICAL
    - description: Check that container root file system is immutable
      failTotal: 5
      id: '1.1'
      name: Immutable container file systems
      passTotal: 6
      severity: LOW
    - description: Control checks if pod sets the SELinux context of the container
      failTotal: 0
      id: '1.8'
      name: Sets the SELinux context of the container
      passTotal: 11
      severity: MEDIUM
    - description: 'Control check whether disable secret token been mount ,automountServiceAccountToken:
      false'
      failTotal: 1
      id: '1.11'
      name: Protecting Pod service account tokens
      passTotal: 10
      severity: MEDIUM
    - description: Control check the use of LimitRange policy limit resource usage for
        namespaces or nodes
      failTotal: 1
      id: '4.1'
      name: Use LimitRange policies to limit resources
      passTotal: 0
      severity: MEDIUM
    - description: Control check whether audit log aging is configure
      failTotal: 0
      id: '8.2'
      name: Audit log aging
      passTotal: 0
      severity: MEDIUM
    - description: Control check whether Namespace kube-system is not be used by users
      failTotal: 8
      id: '1.12'
      name: Namespace kube-system should not be used by users
      passTotal: 3
      severity: MEDIUM
    - description: Controls whether containers can use the host network
      failTotal: 0
      id: '1.5'
      name: use the host network
      passTotal: 11
      severity: HIGH
    - description: Controls whether container applications can run with root privileges
        or with root group membership
      failTotal: 1
      id: '1.6'
      name: Run with root privileges or with root group membership
      passTotal: 10
      severity: LOW
    - description: Control check whether audit log path is configure
      failTotal: 0
      id: '8.1'
      name: Audit log path is configure
      passTotal: 1
      severity: MEDIUM
    - description: Control checks the sets the seccomp profile used to sandbox containers
      failTotal: 0
      id: '1.10'
      name: Sets the seccomp profile used to sandbox containers.
      passTotal: 11
      severity: LOW
    - description: Control check validate the pod and/or namespace Selectors usage
      failTotal: 1
      id: '2.0'
      name: Pod and/or namespace Selectors usage
      passTotal: 0
      severity: MEDIUM
    - description: Control check whether control plan disable insecure port
      failTotal: 0
      id: '5.0'
      name: Control plan disable insecure port
      passTotal: 1
      severity: CRITICAL
    - description: Control check whether etcd communication is encrypted
      failTotal: 0
      id: '5.1'
      name: Encrypt etcd communication
      passTotal: 1
      severity: CRITICAL
    - description: Control check whether audit policy is configure
      failTotal: 0
      id: '8.0'
      name: Audit policy is configure
      passTotal: 1
      severity: HIGH
  summary:
    failCount: 33
    passCount: 113
  updateTimestamp: '2022-03-27T07:06:00Z'