Skip to content
Snippets Groups Projects
Normal view Permalink
kubescape-exceptions.json 1.76 KiB
Newer Older
Philip Gough's avatar
ci: Add exceptions for node-exporter to kubescape config
Philip Gough committed
1 
[
Paweł Krupa (paulfantom)'s avatar
docs: add security considerations regarding automountServiceAccountToken  
Paweł Krupa (paulfantom) committed
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 
  {
    "name": "exclude-automountServiceAccountToken-checks",
    "policyType": "postureExceptionPolicy",
    "actions": [
      "alertOnly"
    ],
    "resources": [
      {
        "designatorType": "Attributes",
        "attributes": {
          "kind": "DaemonSet",
          "name": "node-exporter"
        }
      },
      {
        "designatorType": "Attributes",
        "attributes": {
          "kind": "Deployment",
          "name": "blackbox-exporter"
        }
      },
      {
        "designatorType": "Attributes",
        "attributes": {
          "kind": "Deployment",
          "name": "kube-state-metrics"
        }
      },
      {
        "designatorType": "Attributes",
        "attributes": {
          "kind": "Deployment",
          "name": "prometheus-adapter"
        }
      },
      {
        "designatorType": "Attributes",
        "attributes": {
          "kind": "Deployment",
          "name": "prometheus-operator"
        }
Philip Gough's avatar
kubescape: Add exception for Prometheus SA automount of token  
Philip Gough committed
43 44 45 46 47 48 49 
      },
      {
        "designatorType": "Attributes",
        "attributes": {
          "kind": "ServiceAccount",
          "name": "prometheus-k8s"
        }
Paweł Krupa (paulfantom)'s avatar
docs: add security considerations regarding automountServiceAccountToken  
Paweł Krupa (paulfantom) committed
50 51 52 53 54 55 56 57 
      }
    ],
    "posturePolicies": [
      {
        "controlName": "Automatic mapping of service account"
      }
    ]
  },
Philip Gough's avatar
ci: Add exceptions for node-exporter to kubescape config
Philip Gough committed
58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 
  {
    "name": "exclude-node-exporter-host-access-checks",
    "policyType": "postureExceptionPolicy",
    "actions": [
      "alertOnly"
    ],
    "resources": [
      {
        "designatorType": "Attributes",
        "attributes": {
          "kind": "DaemonSet",
          "name": "node-exporter"
        }
      }
    ],
    "posturePolicies": [
      {
        "controlName": "Container hostPort"
      },
      {
        "controlName": "Host PID/IPC privileges"
      },
      {
        "controlName": "HostNetwork access"
      }
    ]
  }
Philip Gough's avatar
kubescape: Add exception for Prometheus SA automount of token  
Philip Gough committed
85 
]