Skip to content

ClusterComplianceDetailReport

The ClusterComplianceDetailReport is a cluster-scoped resource, which represents the latest result of the Cluster Compliance Detail report. The report data provide granular information on control checks failures that occur in ClusterComplianceReport for further investigation.

The compliance detail report provides granular information insight on control check failures:

  • Failing resource kind
  • Name of the failing resource
  • Namespace of the failing resource
  • Failure error message
  • Remediation

The following listing shows a sample ClusterComplianceDetailReport for NSA specification associated with the cluster

apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceDetailReport
metadata:
  creationTimestamp: '2022-03-27T07:04:21Z'
  generation: 6
  name: nsa-details
  resourceVersion: '15788'
  uid: 9d36889d-086a-4fb3-b660-a3a3ecffe3c6
report:
  controlCheck:
    - checkResults:
        - details:
            - msg: ReplicaSet 'coredns-96cc4f57d' should not be set with 'kube-system' namespace
              name: replicaset-coredns-96cc4f57d
              namespace: kube-system
              status: FAIL
            - msg: ReplicaSet 'coredns-5789895cd' should not be set with 'kube-system' namespace
              name: replicaset-coredns-5789895cd
              namespace: kube-system
              status: FAIL
            - msg: ReplicaSet 'traefik-56c4b88c4b' should not be set with 'kube-system'
                namespace
              name: replicaset-traefik-56c4b88c4b
              namespace: kube-system
              status: FAIL
            - msg: ReplicaSet 'metrics-server-ff9dbcb6c' should not be set with 'kube-system'
                namespace
              name: replicaset-metrics-server-ff9dbcb6c
              namespace: kube-system
              status: FAIL
            - msg: ReplicaSet 'local-path-provisioner-84bb864455' should not be set with
                'kube-system' namespace
              name: replicaset-local-path-provisioner-84bb864455
              namespace: kube-system
              status: FAIL
          id: KSV037
          objectType: ReplicaSet
        - details:
            - msg: DaemonSet 'svclb-traefik' should not be set with 'kube-system' namespace
              name: daemonset-svclb-traefik
              namespace: kube-system
              status: FAIL
          id: KSV037
          objectType: DaemonSet
        - details:
            - msg: Job 'helm-install-traefik-crd' should not be set with 'kube-system' namespace
              name: job-helm-install-traefik-crd
              namespace: kube-system
              status: FAIL
            - msg: Job 'helm-install-traefik' should not be set with 'kube-system' namespace
              name: job-helm-install-traefik
              namespace: kube-system
              status: FAIL
          id: KSV037
          objectType: Job
      description: Control check whether Namespace kube-system is not be used by users
      id: '1.12'
      name: Namespace kube-system should not be used by users
      severity: MEDIUM
    - checkResults:
        - details:
            - msg: Resource do not exist in cluster
              status: FAIL
          objectType: ResourceQuota
      description: Control check the use of ResourceQuota policy to limit aggregate
        resource usage within namespace
      id: '4.0'
      name: Use ResourceQuota policies to limit resources
      severity: MEDIUM
    - checkResults:
        - details:
            - msg: Container 'traefik' of ReplicaSet 'traefik-56c4b88c4b' should set 'securityContext.allowPrivilegeEscalation'
                to false
              name: replicaset-traefik-56c4b88c4b
              namespace: kube-system
              status: FAIL
            - msg: Container 'local-path-provisioner' of ReplicaSet 'local-path-provisioner-84bb864455'
                should set 'securityContext.allowPrivilegeEscalation' to false
              name: replicaset-local-path-provisioner-84bb864455
              namespace: kube-system
              status: FAIL
          id: KSV001
          objectType: ReplicaSet
        - details:
            - msg: Container 'lb-port-443' of DaemonSet 'svclb-traefik' should set 'securityContext.allowPrivilegeEscalation'
                to false
              name: daemonset-svclb-traefik
              namespace: kube-system
              status: FAIL
          id: KSV001
          objectType: DaemonSet
        - details:
            - msg: Container 'helm' of Job 'helm-install-traefik-crd' should set 'securityContext.allowPrivilegeEscalation'
                to false
              name: job-helm-install-traefik-crd
              namespace: kube-system
              status: FAIL
            - msg: Container 'helm' of Job 'helm-install-traefik' should set 'securityContext.allowPrivilegeEscalation'
                to false
              name: job-helm-install-traefik
              namespace: kube-system
              status: FAIL
          id: KSV001
          objectType: Job
        - details:
            - msg: Container 'nginx' of Pod 'nginx-jr99v' should set 'securityContext.allowPrivilegeEscalation'
                to false
              name: pod-nginx-jr99v
              namespace: trivy-operator-itest
              status: FAIL
          id: KSV001
          objectType: Pod
      description: Control check restrictions escalation to root privileges
      id: '1.7'
      name: Restricts escalation to root privileges
      severity: MEDIUM
    - checkResults:
        - details:
            - msg: Resource do not exist in cluster
              status: FAIL
          objectType: ResourceQuota
      description: Control check the use of LimitRange policy limit resource usage for
        namespaces or nodes
      id: '4.1'
      name: Use LimitRange policies to limit resources
      severity: MEDIUM
    - checkResults:
        - details:
            - msg: Container 'local-path-provisioner' of ReplicaSet 'local-path-provisioner-84bb864455'
                should set 'securityContext.readOnlyRootFilesystem' to true
              name: replicaset-local-path-provisioner-84bb864455
              namespace: kube-system
              status: FAIL
          id: KSV014
          objectType: ReplicaSet
        - details:
            - msg: Container 'lb-port-443' of DaemonSet 'svclb-traefik' should set 'securityContext.readOnlyRootFilesystem'
                to true
              name: daemonset-svclb-traefik
              namespace: kube-system
              status: FAIL
          id: KSV014
          objectType: DaemonSet
        - details:
            - msg: Container 'helm' of Job 'helm-install-traefik-crd' should set 'securityContext.readOnlyRootFilesystem'
                to true
              name: job-helm-install-traefik-crd
              namespace: kube-system
              status: FAIL
            - msg: Container 'helm' of Job 'helm-install-traefik' should set 'securityContext.readOnlyRootFilesystem'
                to true
              name: job-helm-install-traefik
              namespace: kube-system
              status: FAIL
          id: KSV014
          objectType: Job
        - details:
            - msg: Container 'nginx' of Pod 'nginx-jr99v' should set 'securityContext.readOnlyRootFilesystem'
                to true
              name: pod-nginx-jr99v
              namespace: trivy-operator-itest
              status: FAIL
          id: KSV014
          objectType: Pod
      description: Check that container root file system is immutable
      id: '1.1'
      name: Immutable container file systems
      severity: LOW
    - checkResults:
        - details:
            - msg: ReplicaSet 'traefik-56c4b88c4b' should set 'spec.securityContext.runAsGroup',
                'spec.securityContext.supplementalGroups[*]' and 'spec.securityContext.fsGroup'
                to integer greater than 0
              name: replicaset-traefik-56c4b88c4b
              namespace: kube-system
              status: FAIL
          id: KSV029
          objectType: ReplicaSet
      description: Controls whether container applications can run with root privileges
        or with root group membership
      id: '1.6'
      name: Run with root privileges or with root group membership
      severity: LOW
    - checkResults:
        - details:
            - msg: Container of Pod 'nginx-jr99v' should set 'spec.automountServiceAccountToken'
                to false
              name: pod-nginx-jr99v
              namespace: trivy-operator-itest
              status: FAIL
          id: KSV036
          objectType: Pod
      description: 'Control check whether disable secret token been mount ,automountServiceAccountToken:
      false'
      id: '1.11'
      name: Protecting Pod service account tokens
      severity: MEDIUM
    - checkResults:
        - details:
            - msg: Resource do not exist in cluster
              status: FAIL
          objectType: NetworkPolicy
      description: Control check validate the pod and/or namespace Selectors usage
      id: '2.0'
      name: Pod and/or namespace Selectors usage
      severity: MEDIUM
    - checkResults:
        - details:
            - msg: Container 'trivy-operator' of ReplicaSet 'trivy-operator-7cf866c47b'
                should set 'securityContext.runAsNonRoot' to true
              name: replicaset-trivy-operator-7cf866c47b
              namespace: trivy-operator-system
              status: FAIL
            - msg: Container 'coredns' of ReplicaSet 'coredns-96cc4f57d' should set 'securityContext.runAsNonRoot'
                to true
              name: replicaset-coredns-96cc4f57d
              namespace: kube-system
              status: FAIL
            - msg: Container 'coredns' of ReplicaSet 'coredns-5789895cd' should set 'securityContext.runAsNonRoot'
                to true
              name: replicaset-coredns-5789895cd
              namespace: kube-system
              status: FAIL
            - msg: Container 'trivy-operator' of ReplicaSet 'trivy-operator-c94dd56d'
                should set 'securityContext.runAsNonRoot' to true
              name: replicaset-trivy-operator-c94dd56d
              namespace: trivy-operator-system
              status: FAIL
            - msg: Container 'local-path-provisioner' of ReplicaSet 'local-path-provisioner-84bb864455'
                should set 'securityContext.runAsNonRoot' to true
              name: replicaset-local-path-provisioner-84bb864455
              namespace: kube-system
              status: FAIL
          id: KSV012
          objectType: ReplicaSet
        - details:
            - msg: Container 'lb-port-443' of DaemonSet 'svclb-traefik' should set 'securityContext.runAsNonRoot'
                to true
              name: daemonset-svclb-traefik
              namespace: kube-system
              status: FAIL
          id: KSV012
          objectType: DaemonSet
        - details:
            - msg: Container 'helm' of Job 'helm-install-traefik-crd' should set 'securityContext.runAsNonRoot'
                to true
              name: job-helm-install-traefik-crd
              namespace: kube-system
              status: FAIL
            - msg: Container 'helm' of Job 'helm-install-traefik' should set 'securityContext.runAsNonRoot'
                to true
              name: job-helm-install-traefik
              namespace: kube-system
              status: FAIL
          id: KSV012
          objectType: Job
        - details:
            - msg: Container 'nginx' of Pod 'nginx-jr99v' should set 'securityContext.runAsNonRoot'
                to true
              name: pod-nginx-jr99v
              namespace: trivy-operator-itest
              status: FAIL
          id: KSV012
          objectType: Pod
      description: Check that container is not running as root
      id: '1.0'
      name: Non-root containers
      severity: MEDIUM
  summary:
    failCount: 33
    passCount: 113
  type:
    description: national security agency - kubernetes hardening guidance
    name: nsa-details
    version: '1.0'
  updateTimestamp: '2022-03-27T07:09:00Z'