Kubernetes Security Assessment Report

Cluster: never-dev-sec | Kubernetes: 1.33 | Scanned: 2026-04-13 14:46:31 UTC | Total Findings: 2404

100

Critical Risk

340

Critical Issues

693

High Issues

1371

Medium Issues

Pass Issues

🛡 OWASP Kubernetes Top 10

Assessment based on the OWASP Kubernetes Top Ten framework | 26 findings, 1463 affected resources

340 Critical 73 High 1047 Medium 3 Pass

Category	Risk	Findings	Worst Severity
K01	Insecure Workload Configurations	1261 issue(s) / 8 finding(s)	CRITICAL
K02	Overly Permissive RBAC	6 issue(s) / 2 finding(s)	CRITICAL
K03	Secrets Management Failures	9 issue(s) / 3 finding(s)	HIGH
K04	Lack of Centralized Policy Enforcement	29 issue(s) / 2 finding(s)	CRITICAL
K05	Missing Network Segmentation	28 issue(s) / 1 finding(s)	CRITICAL
K06	Overly Exposed Cluster Components	4 issue(s) / 2 finding(s)	MEDIUM
K07	Misconfigured Cluster Components	86 issue(s) / 3 finding(s)	HIGH
K08	Cluster-to-Cloud Lateral Movement	6 issue(s) / 1 finding(s)	MEDIUM
K09	Broken Authentication Mechanisms	30 issue(s) / 2 finding(s)	MEDIUM
K10	Inadequate Logging and Monitoring	1 issue(s) / 2 finding(s)	MEDIUM

K01: Insecure Workload Configurations

1261 issue(s) / 8 finding(s)

CRITICALPrivileged Containers

80 containers run with privileged: true

Affected Resources

falco/test-falco-4ttzt/falco
falco/test-falco-4ttzt/falco-driver-loader
falco/test-falco-5sbff/falco
falco/test-falco-5sbff/falco-driver-loader
falco/test-falco-bw6sg/falco
falco/test-falco-bw6sg/falco-driver-loader
falco/test-falco-fm42l/falco
falco/test-falco-fm42l/falco-driver-loader
falco/test-falco-hd8g7/falco
falco/test-falco-hd8g7/falco-driver-loader
falco/test-falco-k8p25/falco
falco/test-falco-k8p25/falco-driver-loader
falco/test-falco-mblws/falco
falco/test-falco-mblws/falco-driver-loader
falco/test-falco-mq8vw/falco
falco/test-falco-mq8vw/falco-driver-loader
falco/test-falco-qbt4d/falco
falco/test-falco-qbt4d/falco-driver-loader
falco/test-falco-qpfdl/falco
falco/test-falco-qpfdl/falco-driver-loader

CRITICALHost Network Enabled

85 pods use hostNetwork: true

Affected Resources

default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-65442
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-7995w
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-f9pqb
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-fkq8r
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-h4dnq
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-j7xgg
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-kc76c
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-krs67
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-v68cj
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-whdsf
kube-system/cilium-7knzf
kube-system/cilium-7xhwv
kube-system/cilium-bzlvg
kube-system/cilium-envoy-69kfp
kube-system/cilium-envoy-7llfh
kube-system/cilium-envoy-d5chk
kube-system/cilium-envoy-ddms4
kube-system/cilium-envoy-fzzwc
kube-system/cilium-envoy-h4v62
kube-system/cilium-envoy-h66fl

CRITICALHost PID Enabled

10 pods use hostPID: true

Affected Resources

default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-65442
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-7995w
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-f9pqb
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-fkq8r
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-h4dnq
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-j7xgg
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-kc76c
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-krs67
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-v68cj
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-whdsf

CRITICALHost Path Mounts

106 pods mount host paths

Affected Resources

default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-65442 -> /
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-7995w -> /
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-f9pqb -> /
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-fkq8r -> /
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-h4dnq -> /
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-j7xgg -> /
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-kc76c -> /
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-krs67 -> /
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-v68cj -> /
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-whdsf -> /
falco/test-falco-4ttzt -> /var/run/docker.sock
falco/test-falco-5sbff -> /var/run/docker.sock
falco/test-falco-bw6sg -> /var/run/docker.sock
falco/test-falco-fm42l -> /var/run/docker.sock
falco/test-falco-hd8g7 -> /var/run/docker.sock
falco/test-falco-k8p25 -> /var/run/docker.sock
falco/test-falco-mblws -> /var/run/docker.sock
falco/test-falco-mq8vw -> /var/run/docker.sock
falco/test-falco-qbt4d -> /var/run/docker.sock
falco/test-falco-qpfdl -> /var/run/docker.sock

HIGHHost IPC Enabled

10 pods use hostIPC: true

Affected Resources

default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-65442
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-7995w
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-f9pqb
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-fkq8r
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-h4dnq
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-j7xgg
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-kc76c
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-krs67
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-v68cj
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-whdsf

MEDIUMMissing readOnlyRootFilesystem

339 containers lack readOnlyRootFilesystem: true

Affected Resources

burpsuite/test-burpsuite-connection-relay-56566cbf9f-q7m69/connection-relay
burpsuite/test-burpsuite-enterprise-server-58c8584545-qdhf5/enterprise-server
burpsuite/test-burpsuite-enterprise-server-58c8584545-qdhf5/init-burp-download
burpsuite/test-burpsuite-enterprise-server-58c8584545-qdhf5/init-enterprise-server-keystore
burpsuite/test-burpsuite-scan-controller-94bbdccbb-gvk7g/scan-controller
burpsuite/test-burpsuite-web-server-8464668497-kp4m4/web-server
burpsuite/test-burpsuite-web-server-8464668497-kp4m4/init-web-server-keystore
burpsuite/ubuntu-change-pvc-permissions-6l62k/ubuntu
default/httpbin-56c54d77b8-9cd8d/httpbin
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-65442/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-7995w/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-f9pqb/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-fkq8r/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-h4dnq/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-j7xgg/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-kc76c/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-krs67/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-v68cj/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-whdsf/debugger
falco/test-falco-4ttzt/falco

MEDIUMMissing runAsNonRoot

351 containers lack runAsNonRoot: true

Affected Resources

burpsuite/test-burpsuite-enterprise-server-58c8584545-qdhf5/enterprise-server
burpsuite/test-burpsuite-enterprise-server-58c8584545-qdhf5/init-burp-download
burpsuite/test-burpsuite-enterprise-server-58c8584545-qdhf5/init-enterprise-server-keystore
burpsuite/test-burpsuite-web-server-8464668497-kp4m4/web-server
burpsuite/test-burpsuite-web-server-8464668497-kp4m4/init-web-server-keystore
burpsuite/ubuntu-change-pvc-permissions-6l62k/ubuntu
cert-manager/cert-manager-cainjector-cf4f94f8c-vjf64/cert-manager-cainjector
cert-manager/cert-manager-cd6c7c6b9-k6w8l/cert-manager-controller
cert-manager/cert-manager-webhook-6d78ddb474-vzlwx/cert-manager-webhook
cnpg/cnpg-operator-cloudnative-pg-58c485df56-jjlx9/manager
default/httpbin-56c54d77b8-9cd8d/httpbin
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-65442/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-7995w/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-f9pqb/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-fkq8r/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-h4dnq/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-j7xgg/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-kc76c/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-krs67/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-v68cj/debugger

MEDIUMMissing Resource Limits

280 containers have no resource limits/requests

Affected Resources

argo-cd/argo-cd-argocd-dex-server-57589b5c8b-mzjn2/dex-server
argo-cd/argo-cd-argocd-dex-server-57589b5c8b-mzjn2/copyutil
argo-cd/argo-cd-redis-ha-haproxy-5fd56f647d-5dxdb/haproxy
argo-cd/argo-cd-redis-ha-haproxy-5fd56f647d-5dxdb/config-init
argo-cd/argo-cd-redis-ha-haproxy-5fd56f647d-8fsl8/haproxy
argo-cd/argo-cd-redis-ha-haproxy-5fd56f647d-8fsl8/config-init
argo-cd/argo-cd-redis-ha-haproxy-5fd56f647d-czddh/haproxy
argo-cd/argo-cd-redis-ha-haproxy-5fd56f647d-czddh/config-init
argo-cd/argo-cd-redis-ha-server-0/split-brain-fix
argo-cd/argo-cd-redis-ha-server-0/redis-exporter
argo-cd/argo-cd-redis-ha-server-0/config-init
argo-cd/argo-cd-redis-ha-server-1/split-brain-fix
argo-cd/argo-cd-redis-ha-server-1/redis-exporter
argo-cd/argo-cd-redis-ha-server-1/config-init
argo-cd/argo-cd-redis-ha-server-2/split-brain-fix
argo-cd/argo-cd-redis-ha-server-2/redis-exporter
argo-cd/argo-cd-redis-ha-server-2/config-init
cert-manager/cert-manager-cainjector-cf4f94f8c-vjf64/cert-manager-cainjector
cert-manager/cert-manager-cd6c7c6b9-k6w8l/cert-manager-controller
cert-manager/cert-manager-webhook-6d78ddb474-vzlwx/cert-manager-webhook

K02: Overly Permissive RBAC

6 issue(s) / 2 finding(s)

CRITICALWildcard ClusterRoles

3 ClusterRoles grant * verbs on * resources

Affected Resources

argo-cd-argocd-application-controller
cluster-admin
system:nodes:autopilot

HIGHCluster-Admin Bindings

3 bindings grant cluster-admin or equivalent

Affected Resources

argo-cd-argocd-application-controller -> ServiceAccount/argocd-application-controller
cluster-admin -> Group/system:masters
system:nodes:autopilot -> Group/system:nodes

K03: Secrets Management Failures

9 issue(s) / 3 finding(s)

HIGHNo External Secrets Management

No ExternalSecrets, Vault, or SealedSecrets CRDs found

MEDIUMCloud Provider Credentials in Secrets

8 secrets appear to contain cloud credentials

Affected Resources

argo-cd/argocd-repo-creds-ssh-creds
burpsuite/burpsuite-db-cnpg-backup-creds
cert-manager/rt53-creds
external-dns/rt53-creds
kube-system/openstack-cloud-config
kube-system/os-app-creds
kube-system/sh.helm.release.v1.openstack-ccm.v1
kube-system/sh.helm.release.v1.openstack-csi.v1

INFOSecret Inventory

121 secrets total, 77 Opaque type

K04: Lack of Centralized Policy Enforcement

29 issue(s) / 2 finding(s)

CRITICALPod Security Admission Not Enforced

Only 1/29 namespaces have PSA enforce labels

Affected Resources

owasp-scanner: restricted

HIGHNo Validation Policies

No Kyverno/OPA validation policies found to block insecure workloads

K05: Missing Network Segmentation

28 issue(s) / 1 finding(s)

CRITICALMost Namespaces Lack Network Policies

28/29 namespaces have no network policies (K8s: 1, Cilium: 0+0, Istio: 0)

Affected Resources

argo-cd
burpsuite
cert-manager
cilium-secrets
cnpg
default
external-dns
falco
ingress-nginx
k0s-autopilot
k0s-system
kcm-system
kube-node-lease
kube-public
kube-system
kyverno
manila-csi
nats
nessus
nessus-scanner

K06: Overly Exposed Cluster Components

4 issue(s) / 2 finding(s)

MEDIUMLoadBalancer Services Exposed

4 services directly exposed via LoadBalancer

Affected Resources

ingress-nginx/ingress-nginx-controller (139.66.13.49)
kube-system/cilium-ingress (139.66.13.117)
nessus-scanner/tenable-nessus (139.66.13.105)
nessus/tenable-nessus (139.66.13.96)

PASSAll Ingresses Use TLS

All 9 ingresses have TLS configured

K07: Misconfigured Cluster Components

86 issue(s) / 3 finding(s)

HIGHNo ResourceQuotas Defined

0/29 namespaces have ResourceQuotas

HIGHTrivy ConfigAudit Issues

29 resources have critical/high configuration findings

Affected Resources

default/replicaset-httpbin-56c54d77b8: 0C/1H
falco/daemonset-test-falco: 0C/8H
ingress-nginx/replicaset-ingress-nginx-controller-6f6f859569: 0C/2H
k0s-system/replicaset-k0s-pushgateway-6d8f9785c7: 0C/1H
kube-system/daemonset-cilium: 0C/19H
kube-system/daemonset-cilium-envoy: 0C/4H
kube-system/daemonset-csi-nfs-node: 0C/5H
kube-system/daemonset-openstack-cinder-csi-nodeplugin: 0C/7H
kube-system/daemonset-openstack-cloud-controller-manager: 0C/2H
kube-system/replicaset-cilium-operator-dc56c5457: 0C/3H
kube-system/replicaset-coredns-c8d757745: 0C/1H
kube-system/replicaset-csi-nfs-controller-68d68c78cc: 0C/6H
kube-system/replicaset-hubble-relay-5447cdd779: 0C/1H
kube-system/replicaset-hubble-ui-77d4cd6ff5: 0C/2H
kube-system/replicaset-openstack-cinder-csi-controllerplugin-6b6b78b7d8: 0C/6H
manila-csi/daemonset-manila-csi-openstack-manila-csi-nodeplugin: 0C/5H
manila-csi/statefulset-manila-csi-openstack-manila-csi-controllerplugin: 0C/6H
nessus-scanner/replicaset-nessus-bd65456d: 0C/1H
nessus/replicaset-nessus-bd65456d: 0C/1H
pgadmin4/replicaset-test-pgadmin4-79b5dc6f54: 0C/2H

MEDIUMInsufficient LimitRanges

Only 1 LimitRange(s) across 29 namespaces

K08: Cluster-to-Cloud Lateral Movement

6 issue(s) / 1 finding(s)

MEDIUMCloud Credentials Accessible In-Cluster

6 secrets contain cloud provider credentials

Affected Resources

cert-manager/rt53-creds
external-dns/rt53-creds
kube-system/openstack-cloud-config
kube-system/os-app-creds
kube-system/sh.helm.release.v1.openstack-ccm.v1
kube-system/sh.helm.release.v1.openstack-csi.v1

K09: Broken Authentication Mechanisms

30 issue(s) / 2 finding(s)

MEDIUMDefault SA Auto-Mounts Tokens

29 namespaces have default SA with automountServiceAccountToken != false

Affected Resources

argo-cd
burpsuite
cert-manager
cilium-secrets
cnpg
default
external-dns
falco
ingress-nginx
k0s-autopilot
k0s-system
kcm-system
kube-node-lease
kube-public
kube-system
kyverno
manila-csi
nats
nessus
nessus-scanner

MEDIUMNo mTLS Enforcement

No Istio PeerAuthentication resources found

K10: Inadequate Logging and Monitoring

1 issue(s) / 2 finding(s)

MEDIUMMissing Monitoring Categories

1 monitoring gaps detected

Affected Resources

SIEM (Splunk/ELK)

PASSSecurity Monitoring Present

3/4 monitoring categories covered

Affected Resources

Runtime Security (Falco)
Log Collection (Vector/Fluentd/Fluentbit)
Network Observability (Hubble)

🔎 CWE/SANS Top 25 (2025)

Assessment mapped from 2025 CWE Top 25 to Kubernetes controls | 14 findings, 944 affected resources

620 High 324 Medium

CWE Kubernetes Relevance Mapping

Rank	CWE ID	Weakness	K8s Relevance
1	CWE-79	XSS: Cross-site Scripting	High — WAF/ModSecurity at ingress layer
2	CWE-89	SQL Injection	High — Database service exposure, parameterized queries
3	CWE-352	Cross-Site Request Forgery (CSRF)	Medium — Ingress-level CSRF protection headers
4	CWE-862	Missing Authorization	Critical — RBAC — missing authorization on SA/roles
5	CWE-787	Out-of-bounds Write	Medium — Image vulnerability scanning (Trivy)
6	CWE-22	Path Traversal	Critical — hostPath mounts enable path traversal
7	CWE-416	Use After Free	Medium — Image vulnerability scanning (Trivy)
8	CWE-125	Out-of-bounds Read	Medium — Image vulnerability scanning (Trivy)
9	CWE-78	OS Command Injection	Critical — Command injection — readOnlyRootFS, runAsNonRoot
10	CWE-94	Code Injection	Critical — pods/exec RBAC = code injection vector
11	CWE-120	Classic Buffer Overflow	Low — Image vulnerability scanning (Trivy)
12	CWE-434	Unrestricted Upload of Dangerous File Type	Medium — readOnlyRootFilesystem, ephemeral storage
13	CWE-476	NULL Pointer Dereference	Low — Image vulnerability scanning (Trivy)
14	CWE-121	Stack-based Buffer Overflow	Low — Application-level
15	CWE-502	Deserialization of Untrusted Data	High — Deserialization — readOnlyRootFS, network policies
16	CWE-122	Heap-based Buffer Overflow	Low — Application-level
17	CWE-863	Incorrect Authorization	Critical — Broken access control — RBAC misconfig
18	CWE-20	Improper Input Validation	Low — Application-level
19	CWE-284	Improper Access Control	Critical — Improper access control — RBAC
20	CWE-200	Exposure of Sensitive Information	High — Env var exposure, secret protection
21	CWE-306	Missing Authentication for Critical Function	High — Missing authentication — Ingress auth annotations
22	CWE-918	Server-Side Request Forgery (SSRF)	High — SSRF — NetworkPolicy egress restrictions
23	CWE-77	Command Injection	Critical — Command injection — same as CWE-78
24	CWE-639	Authorization Bypass Through User-Controlled Key	Medium — SA token automount = authorization bypass vector
25	CWE-770	Allocation of Resources Without Limits	Critical — Resource limits prevent DoS

CWE Detailed Findings

944 affected resource(s) / 14 finding(s)

HIGHCWE-22: Pods with hostPath volume mounts (Path Traversal risk)

606 pod(s) mount host filesystem paths. A compromised container could traverse the host filesystem.

Affected Resources

default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-65442 mounts hostPath=/
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-7995w mounts hostPath=/
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-f9pqb mounts hostPath=/
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-fkq8r mounts hostPath=/
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-h4dnq mounts hostPath=/
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-j7xgg mounts hostPath=/
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-kc76c mounts hostPath=/
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-krs67 mounts hostPath=/
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-v68cj mounts hostPath=/
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-whdsf mounts hostPath=/
falco/test-falco-4ttzt mounts hostPath=/var/run/docker.sock
falco/test-falco-4ttzt mounts hostPath=/run/podman/podman.sock
falco/test-falco-4ttzt mounts hostPath=/run/host-containerd/containerd.sock
falco/test-falco-4ttzt mounts hostPath=/run/containerd/containerd.sock
falco/test-falco-4ttzt mounts hostPath=/run/crio/crio.sock
falco/test-falco-4ttzt mounts hostPath=/run/k3s/containerd/containerd.sock
falco/test-falco-4ttzt mounts hostPath=/boot
falco/test-falco-4ttzt mounts hostPath=/lib/modules
falco/test-falco-4ttzt mounts hostPath=/usr
falco/test-falco-4ttzt mounts hostPath=/etc
falco/test-falco-4ttzt mounts hostPath=/dev
falco/test-falco-4ttzt mounts hostPath=/sys/module
falco/test-falco-4ttzt mounts hostPath=/sys/kernel
falco/test-falco-4ttzt mounts hostPath=/proc
falco/test-falco-5sbff mounts hostPath=/var/run/docker.sock
falco/test-falco-5sbff mounts hostPath=/run/podman/podman.sock
falco/test-falco-5sbff mounts hostPath=/run/host-containerd/containerd.sock
falco/test-falco-5sbff mounts hostPath=/run/containerd/containerd.sock
falco/test-falco-5sbff mounts hostPath=/run/crio/crio.sock
falco/test-falco-5sbff mounts hostPath=/run/k3s/containerd/containerd.sock

HIGHCWE-94: ClusterRoles allowing pod exec/attach (Code Injection vector)

5 ClusterRole(s) grant pods/exec or pods/attach create access, enabling code injection into running containers.

Affected Resources

ClusterRole/admin
ClusterRole/cnpg-manager
ClusterRole/cnpg-operator-cloudnative-pg
ClusterRole/edit
ClusterRole/system:aggregate-to-edit

HIGHCWE-200: Sensitive data in plain-text environment variables

9 container(s) have sensitive-looking values in plain-text env vars (not using secretKeyRef).

Affected Resources

splunk/splunk-cm-test-cluster-manager-0/splunk env=SPLUNK_DECLARATIVE_ADMIN_PASSWORD
splunk/splunk-idxc-test-indexer-0/splunk env=SPLUNK_DECLARATIVE_ADMIN_PASSWORD
splunk/splunk-idxc-test-indexer-1/splunk env=SPLUNK_DECLARATIVE_ADMIN_PASSWORD
splunk/splunk-idxc-test-indexer-2/splunk env=SPLUNK_DECLARATIVE_ADMIN_PASSWORD
splunk/splunk-mc-test-monitoring-console-0/splunk env=SPLUNK_DECLARATIVE_ADMIN_PASSWORD
splunk/splunk-shc-test-deployer-0/splunk env=SPLUNK_DECLARATIVE_ADMIN_PASSWORD
splunk/splunk-shc-test-search-head-0/splunk env=SPLUNK_DECLARATIVE_ADMIN_PASSWORD
splunk/splunk-shc-test-search-head-1/splunk env=SPLUNK_DECLARATIVE_ADMIN_PASSWORD
splunk/splunk-shc-test-search-head-2/splunk env=SPLUNK_DECLARATIVE_ADMIN_PASSWORD

MEDIUMCWE-79: Ingresses without WAF/ModSecurity protection

9 ingress(es) expose web applications without WAF annotations (ModSecurity/OWASP CRS). XSS attacks against exposed web apps are not mitigated at the ingress layer.

Affected Resources

argo-cd/argo-cd-argocd-server
burpsuite/bsee-ingress
nats/test-nats-ui-nui
nats/test-nats-ws
owasp-scanner/owasp-scanner
pgadmin4/test-pgadmin4
splunk/shc-test-ingress
tenable-enclave/test-tenable-enclave-tes-operator
vector-aggregator/test-vector-aggregator

MEDIUMCWE-78/CWE-77: Containers without readOnlyRootFilesystem or runAsNonRoot

83 container(s) run without readOnlyRootFilesystem AND runAsNonRoot. If command injection is exploited, attackers gain writable root filesystem access as root user.

Affected Resources

burpsuite/test-burpsuite-enterprise-server-58c8584545-qdhf5/enterprise-server
burpsuite/test-burpsuite-web-server-8464668497-kp4m4/web-server
burpsuite/ubuntu-change-pvc-permissions-6l62k/ubuntu
default/httpbin-56c54d77b8-9cd8d/httpbin
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-65442/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-7995w/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-f9pqb/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-fkq8r/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-h4dnq/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-j7xgg/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-kc76c/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-krs67/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-v68cj/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-whdsf/debugger
falco/test-falco-4ttzt/falco
falco/test-falco-4ttzt/falcoctl-artifact-follow
falco/test-falco-5sbff/falco
falco/test-falco-5sbff/falcoctl-artifact-follow
falco/test-falco-bw6sg/falco
falco/test-falco-bw6sg/falcoctl-artifact-follow
falco/test-falco-fm42l/falco
falco/test-falco-fm42l/falcoctl-artifact-follow
falco/test-falco-hd8g7/falco
falco/test-falco-hd8g7/falcoctl-artifact-follow
falco/test-falco-k8p25/falco
falco/test-falco-k8p25/falcoctl-artifact-follow
falco/test-falco-mblws/falco
falco/test-falco-mblws/falcoctl-artifact-follow
falco/test-falco-mq8vw/falco
falco/test-falco-mq8vw/falcoctl-artifact-follow

MEDIUMCWE-306: Ingresses without authentication annotations

7 ingress(es) have no external authentication configured (auth-url, auth-signin, etc).

Affected Resources

argo-cd/argo-cd-argocd-server (argo.never-security.sms.dev.sci.scs.sap)
burpsuite/bsee-ingress (burpsuite.never-security.sms.dev.sci.scs.sap)
nats/test-nats-ws (nats.never-security.sms.dev.sci.scs.sap)
owasp-scanner/owasp-scanner (owasp-scanner.never-security.sms.dev.sci.scs.sap)
pgadmin4/test-pgadmin4 (pgadmin4.never-security.sms.dev.sci.scs.sap)
splunk/shc-test-ingress (splunk.never-security.sms.dev.sci.scs.sap)
tenable-enclave/test-tenable-enclave-tes-operator (tenable-enclave.never-security.sms.dev.sci.scs.sap)

MEDIUMCWE-918: Insufficient network policies to prevent SSRF

Only 1 NetworkPolicy(ies) across 29 namespaces. Pods can reach cloud metadata endpoints (169.254.169.254) and internal services, enabling SSRF attacks.

MEDIUMCWE-770: Containers without resource limits (DoS risk)

84 container(s) have no resource limits. A runaway process could exhaust node resources (Denial of Service).

Affected Resources

argo-cd/argo-cd-argocd-dex-server-57589b5c8b-mzjn2/dex-server
argo-cd/argo-cd-redis-ha-haproxy-5fd56f647d-5dxdb/haproxy
argo-cd/argo-cd-redis-ha-haproxy-5fd56f647d-8fsl8/haproxy
argo-cd/argo-cd-redis-ha-haproxy-5fd56f647d-czddh/haproxy
argo-cd/argo-cd-redis-ha-server-0/split-brain-fix
argo-cd/argo-cd-redis-ha-server-0/redis-exporter
argo-cd/argo-cd-redis-ha-server-1/split-brain-fix
argo-cd/argo-cd-redis-ha-server-1/redis-exporter
argo-cd/argo-cd-redis-ha-server-2/split-brain-fix
argo-cd/argo-cd-redis-ha-server-2/redis-exporter
cert-manager/cert-manager-cainjector-cf4f94f8c-vjf64/cert-manager-cainjector
cert-manager/cert-manager-cd6c7c6b9-k6w8l/cert-manager-controller
cert-manager/cert-manager-webhook-6d78ddb474-vzlwx/cert-manager-webhook
cert-manager/trust-manager-86c84f6d48-jvqm8/trust-manager
cnpg/cnpg-operator-cloudnative-pg-58c485df56-jjlx9/manager
default/httpbin-56c54d77b8-9cd8d/httpbin
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-65442/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-7995w/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-f9pqb/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-fkq8r/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-h4dnq/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-j7xgg/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-kc76c/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-krs67/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-v68cj/debugger
default/node-debugger-never-dev-sec-mdb-fwp85-g5lvc-whdsf/debugger
external-dns/external-dns-5bf4f5dfb5-swdlz/external-dns
falco/test-falco-4ttzt/falcoctl-artifact-follow
falco/test-falco-5sbff/falcoctl-artifact-follow
falco/test-falco-bw6sg/falcoctl-artifact-follow

MEDIUMCWE-639: Majority of pods automount SA tokens

113 pod(s) automount service account tokens. Compromised pods can use the token to impersonate the SA and bypass authorization via the user-controlled token.

Affected Resources

(113 pods — list truncated)

INFOCWE-79/CWE-89/CWE-352: Application-layer injection/CSRF weaknesses

XSS, SQL Injection, and CSRF are primarily application-code vulnerabilities. Mitigation: Use WAFs at the ingress layer, keep container images updated, run vulnerability scanners on application code.

INFOCWE-787/CWE-416/CWE-125/CWE-120/CWE-121/CWE-122/CWE-476: Memory safety weaknesses (C/C++ binary vulnerabilities)

Out-of-bounds Write/Read, Use After Free, Buffer Overflows, and NULL Pointer Dereference are binary-level vulnerabilities. Mitigation: Use container image vulnerability scanners (Trivy, Grype) to detect known CVEs in base images. Apply readOnlyRootFilesystem and drop all capabilities to limit exploit impact.

INFOCWE-434: Unrestricted file upload

Applies to web applications allowing file uploads. Mitigation: readOnlyRootFilesystem, ephemeral container storage, and network policies limit post-exploitation impact.

INFONo Trivy VulnerabilityReports found

Trivy Operator may not be running active image scans. Deploy trivy-operator to detect CWE-related CVEs in images.

PASSCWE-89: No database services directly exposed

All database services use ClusterIP (internal only).