"ID","Name","Category","Severity","Status","Message","Recommendation","URL"
"CFG001","Orphaned ConfigMaps","Best Practices","warning","PASS","No issues detected for Orphaned ConfigMaps.","Delete unused ConfigMaps to clean up the cluster and reduce confusion.","https://kubernetes.io/docs/concepts/configuration/configmap/"
"CFG002","Duplicate ConfigMap Names","Best Practices","warning","FAIL","Namespace: - | Resource: configmap/kube-root-ca.crt | Message: Found in namespaces: azure-store, default | Value: -","Avoid using the same ConfigMap name across namespaces to reduce confusion and misconfiguration risk.","https://kubernetes.io/docs/concepts/configuration/configmap/"
"CFG002","Duplicate ConfigMap Names","Best Practices","warning","FAIL","Namespace: - | Resource: configmap/kube-root-ca.crt | Message: Found in namespaces: azure-store, default | Value: -","Avoid using the same ConfigMap name across namespaces to reduce confusion and misconfiguration risk.","https://kubernetes.io/docs/concepts/configuration/configmap/"
"CFG003","Large ConfigMaps","Best Practices","warning","PASS","No issues detected for Large ConfigMaps.","Avoid storing large data in ConfigMaps. Consider using PersistentVolumes or Secrets instead.","https://kubernetes.io/docs/concepts/configuration/configmap/"
"EVENT001","Grouped Warning Events","Events","warning","FAIL","0/3 nodes are available: 3 node(s) had untolerated taint {CriticalAddonsOnly: true}. preemption: 0/3 nodes are available: 3 Preemption is not helpful for scheduling.","Check for recurring issues. Investigate sources using `kubectl describe` or logs.","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#event-v1-core"
"EVENT002","Full Warning Event Log","Events","warning","FAIL","azure-store | 0/3 nodes are available: 3 node(s) had untolerated taint {CriticalAddonsOnly: true}. preemption: 0/3 nodes are available: 3 Preemption is not helpful for scheduling.","Review recent warnings. Correlate events with impacted resources.","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#event-v1-core"
"EVENT002","Full Warning Event Log","Events","warning","FAIL","azure-store | 0/3 nodes are available: 3 node(s) had untolerated taint {CriticalAddonsOnly: true}. preemption: 0/3 nodes are available: 3 Preemption is not helpful for scheduling.","Review recent warnings. Correlate events with impacted resources.","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#event-v1-core"
"EVENT002","Full Warning Event Log","Events","warning","FAIL","azure-store | 0/3 nodes are available: 3 node(s) had untolerated taint {CriticalAddonsOnly: true}. preemption: 0/3 nodes are available: 3 Preemption is not helpful for scheduling.","Review recent warnings. Correlate events with impacted resources.","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#event-v1-core"
"EVENT002","Full Warning Event Log","Events","warning","FAIL","azure-store | 0/3 nodes are available: 3 node(s) had untolerated taint {CriticalAddonsOnly: true}. preemption: 0/3 nodes are available: 3 Preemption is not helpful for scheduling.","Review recent warnings. Correlate events with impacted resources.","https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#event-v1-core"
"JOB001","Stuck Kubernetes Jobs","Jobs","warning","PASS","No issues detected for Stuck Kubernetes Jobs.","Jobs that haven't completed may be stuck due to node issues, misconfiguration, or missing pods.","https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy"
"JOB002","Failed Kubernetes Jobs","Jobs","critical","PASS","No issues detected for Failed Kubernetes Jobs.","Review job logs and resource constraints to identify cause of failure.","https://kubernetes.io/docs/concepts/workloads/controllers/job/#handling-pod-and-container-failures"
"NET001","Services Without Endpoints","Networking","critical","FAIL","Namespace: azure-store | Resource: service/order-service | Message: No endpoints or endpoint slices","Check if the service selector matches any pods. Ensure the backing pods are running and ready.","https://kubernetes.io/docs/concepts/services-networking/service/"
"NET001","Services Without Endpoints","Networking","critical","FAIL","Namespace: azure-store | Resource: service/product-service | Message: No endpoints or endpoint slices","Check if the service selector matches any pods. Ensure the backing pods are running and ready.","https://kubernetes.io/docs/concepts/services-networking/service/"
"NET001","Services Without Endpoints","Networking","critical","FAIL","Namespace: azure-store | Resource: service/rabbitmq | Message: No endpoints or endpoint slices","Check if the service selector matches any pods. Ensure the backing pods are running and ready.","https://kubernetes.io/docs/concepts/services-networking/service/"
"NET001","Services Without Endpoints","Networking","critical","FAIL","Namespace: azure-store | Resource: service/store-front | Message: No endpoints or endpoint slices","Check if the service selector matches any pods. Ensure the backing pods are running and ready.","https://kubernetes.io/docs/concepts/services-networking/service/"
"NET002","Publicly Accessible Services","Networking","critical","FAIL","Namespace: azure-store | Resource: service/store-front | Message: Exposed via external IP: 131.145.120.106 | Value: LoadBalancer","Audit services of type LoadBalancer or NodePort. Limit exposure with firewalls or internal IP ranges.","https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services"
"NET003","Ingress Health Validation","Networking","critical","PASS","No issues detected for Ingress Health Validation.","Fix invalid ingress definitions including missing TLS secrets, backend services, and path issues.","https://kubernetes.io/docs/concepts/services-networking/ingress/"
"NET004","Namespace Missing Network Policy","Security","warning","FAIL","Namespace: azure-store | Resource: namespace/azure-store | Message: No NetworkPolicy in active namespace","Apply a default deny-all ingress/egress NetworkPolicy in each namespace that hosts workloads, then selectively allow traffic as needed.","https://kubernetes.io/docs/concepts/services-networking/network-policies/"
"NET005","Ingress Host/Path Conflicts","Networking","critical","PASS","No issues detected for Ingress Host/Path Conflicts.","Resolve conflicting host and path combinations across Ingress resources to ensure predictable routing. Each host/path pair should be unique.","https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-ingresses"
"NET006","Ingress Using Wildcard Hosts","Networking","warning","PASS","No issues detected for Ingress Using Wildcard Hosts.","Review Ingress resources using wildcard hosts. Prefer explicit hostnames for tighter security and clearer routing intent where possible.","https://kubernetes.io/docs/concepts/services-networking/ingress/#hostname-wildcards"
"NET007","Service TargetPort Mismatch","Networking","critical","PASS","No issues detected for Service TargetPort Mismatch.","Ensure that all 'targetPort' definitions in services correctly match a 'containerPort' (by number or name) defined in the pods selected by the service.","https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service"
"NET008","ExternalName Service to Internal IP","Networking","warning","PASS","No issues detected for ExternalName Service to Internal IP.","Review 'ExternalName' services pointing to internal IPs. Consider using a regular Service with an EndpointSlice for internal traffic, or clarify intent if valid.","https://kubernetes.io/docs/concepts/services-networking/service/#externalname"
"NET009","Overly Permissive Network Policy","Networking","critical","PASS","No issues detected for Overly Permissive Network Policy.","Review NetworkPolicies with empty rules or broad IP blocks. Ensure policies enforce the principle of least privilege, explicitly defining allowed traffic.","https://kubernetes.io/docs/concepts/services-networking/network-policies/"
"NET010","Network Policy Overly Permissive IPBlock","Networking","critical","PASS","No issues detected for Network Policy Overly Permissive IPBlock.","Replace '0.0.0.0/0' ipBlock in NetworkPolicies with specific CIDR ranges to enforce the principle of least privilege. Only allow traffic to/from necessary IPs.","https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-ipblock-specifier"
"NET011","Network Policy Missing PolicyTypes","Networking","info","PASS","No issues detected for Network Policy Missing PolicyTypes.","Explicitly define 'policyTypes' (e.g., [Ingress, Egress]) in NetworkPolicies for clarity and to prevent unexpected behavior with future Kubernetes versions or different CNI plugins.","https://kubernetes.io/docs/concepts/services-networking/network-policies/#policy-types"
"NET012","Pod HostNetwork Usage","Networking","critical","PASS","No issues detected for Pod HostNetwork Usage.","Avoid 'hostNetwork: true' unless absolutely necessary. For most cases, Kubernetes' built-in networking (e.g., Services, Ingress, NetworkPolicies) provides better isolation and security.","https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/#host-networking"
"NET013","Ingress Present Without Gateway API Adoption","Networking","warning","PASS","No issues detected for Ingress Present Without Gateway API Adoption.","Plan migration from Ingress to Gateway API. Start by defining GatewayClass/Gateway and incrementally moving routes to HTTPRoute.","https://gateway-api.sigs.k8s.io/"
"NET014","HTTPRoute Missing or Unaccepted Parent","Networking","critical","PASS","No issues detected for HTTPRoute Missing or Unaccepted Parent.","Ensure each HTTPRoute has valid parentRefs and that the referenced Gateway accepts the route.","https://gateway-api.sigs.k8s.io/api-types/httproute/"
"NET015","Gateways Without Attached HTTPRoutes","Networking","warning","PASS","No issues detected for Gateways Without Attached HTTPRoutes.","Attach HTTPRoutes to active Gateways or remove unused Gateways to reduce configuration drift.","https://gateway-api.sigs.k8s.io/api-types/gateway/"
"NET016","Gateway API Readiness Conditions","Networking","critical","PASS","No issues detected for Gateway API Readiness Conditions.","Review GatewayClass and Gateway status conditions and controller health before migrating traffic.","https://gateway-api.sigs.k8s.io/guides/"
"NET017","Gateway TLS Secret and Cross-Namespace ReferenceGrant Validation","Networking","critical","PASS","No issues detected for Gateway TLS Secret and Cross-Namespace ReferenceGrant Validation.","Ensure listener certificateRefs point to existing Secrets and add ReferenceGrants for cross-namespace Secret usage.","https://gateway-api.sigs.k8s.io/api-types/referencegrant/"
"NET018","Duplicate Service Selectors","Networking","warning","PASS","No issues detected for Duplicate Service Selectors.","Use unique selectors per Service so AKS Automatic admission does not reject overlapping service ownership.","https://kubernetes.io/docs/concepts/services-networking/service/"
"NODE001","Node Readiness and Conditions","Nodes","critical","PASS","No issues detected for Node Readiness and Conditions.","Investigate NotReady nodes to avoid workload disruption.","https://kubernetes.io/docs/concepts/architecture/nodes/"
"NODE002","Node Resource Pressure","Nodes","warning","PASS","Node resource pressure detected","Investigate and rebalance workloads on nodes with high resource usage.","https://kubernetes.io/docs/tasks/debug/debug-cluster/resource-usage-monitoring/"
"NODE003","Max Pods per Node","Resources","warning","FAIL","aks-systempool-39088964-vmss00000k | Warning | 84.00%","Check node pod counts and adjust scheduling or cluster size as needed.","https://kubernetes.io/docs/concepts/architecture/nodes/"
"NS001","Empty Namespaces","Namespaces","info","FAIL","default | No pods, but other resources exist","These may be stale or unused and safe to delete after verifying they contain no critical resources.","https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"
"NS002","Missing or Weak ResourceQuotas","Namespaces","warning","FAIL","azure-store | No ResourceQuota","Apply CPU, memory, and pod quotas to enforce fair resource usage.","https://kubernetes.io/docs/concepts/policy/resource-quotas/"
"NS002","Missing or Weak ResourceQuotas","Namespaces","warning","FAIL","default | No ResourceQuota","Apply CPU, memory, and pod quotas to enforce fair resource usage.","https://kubernetes.io/docs/concepts/policy/resource-quotas/"
"NS003","Missing LimitRanges","Namespaces","warning","FAIL","azure-store | No LimitRange","Define default CPU and memory limits to avoid unbounded pod usage.","https://kubernetes.io/docs/concepts/policy/limit-range/"
"NS003","Missing LimitRanges","Namespaces","warning","FAIL","default | No LimitRange","Define default CPU and memory limits to avoid unbounded pod usage.","https://kubernetes.io/docs/concepts/policy/limit-range/"
"NS004","Pods in Default Namespace","Namespaces","warning","PASS","No issues detected for Pods in Default Namespace.","Create and deploy into dedicated namespaces instead of `default`.","https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"
"POD001","Pods with High Restarts","Workloads","warning","PASS","No issues detected for Pods with High Restarts.","Review logs and events for frequently restarting pods and address root causes such as crashes, missing configs, or failing probes.","https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#application-crashes"
"POD002","Long Running Pods","Workloads","warning","PASS","No issues detected for Long Running Pods.","Review long-running pods and determine if they should be restarted or replaced by updated deployments.","https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase"
"POD003","Failed Pods","Workloads","critical","PASS","No issues detected for Failed Pods.","Investigate failed pods for common issues like image errors, resource constraints, or crash loops.","https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase"
"POD004","Pending Pods","Workloads","warning","FAIL","Namespace: azure-store | Resource: pod/order-service-65cc8855c-ghk9m | Message: Some pods are stuck in Pending. These workloads are not running and are waiting on cluster conditions. | Value: Pending","Inspect scheduling constraints, resource availability, and missing dependencies.","https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase"
"POD004","Pending Pods","Workloads","warning","FAIL","Namespace: azure-store | Resource: pod/product-service-77ff9f6fd6-rzcxj | Message: Some pods are stuck in Pending. These workloads are not running and are waiting on cluster conditions. | Value: Pending","Inspect scheduling constraints, resource availability, and missing dependencies.","https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase"
"POD004","Pending Pods","Workloads","warning","FAIL","Namespace: azure-store | Resource: pod/rabbitmq-5dcdf9484-kvgw7 | Message: Some pods are stuck in Pending. These workloads are not running and are waiting on cluster conditions. | Value: Pending","Inspect scheduling constraints, resource availability, and missing dependencies.","https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase"
"POD004","Pending Pods","Workloads","warning","FAIL","Namespace: azure-store | Resource: pod/store-front-698cc8c565-f5hp5 | Message: Some pods are stuck in Pending. These workloads are not running and are waiting on cluster conditions. | Value: Pending","Inspect scheduling constraints, resource availability, and missing dependencies.","https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase"
"POD005","CrashLoopBackOff Pods","Workloads","critical","PASS","No issues detected for CrashLoopBackOff Pods.","Check logs, investigate container errors, and fix misconfigurations.","https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy"
"POD006","Leftover Debug Pods","Workloads","warning","PASS","No issues detected for Leftover Debug Pods.","Delete any leftover debug pods and review your debugging practices.","https://kubernetes.io/docs/tasks/debug/debug-cluster/debug-running-pod/"
"POD007","Container images do not use latest tag","Resource Management","critical","FAIL","Namespace: azure-store | Resource: pod/order-service-65cc8855c-ghk9m | Message: Container order-service: Image uses latest tag | Value: ghcr.io/azure-samples/aks-store-demo/order-service:latest","Specify an explicit image tag (e.g., ':v1.2.3') on every container and initContainer to ensure consistent deployments.","https://kubernetes.io/docs/concepts/containers/images/#image-tags"
"POD007","Container images do not use latest tag","Resource Management","critical","FAIL","Namespace: azure-store | Resource: pod/order-service-65cc8855c-ghk9m | Message: Container wait-for-rabbitmq: Image omits explicit tag | Value: busybox","Specify an explicit image tag (e.g., ':v1.2.3') on every container and initContainer to ensure consistent deployments.","https://kubernetes.io/docs/concepts/containers/images/#image-tags"
"POD007","Container images do not use latest tag","Resource Management","critical","FAIL","Namespace: azure-store | Resource: pod/product-service-77ff9f6fd6-rzcxj | Message: Container product-service: Image uses latest tag | Value: ghcr.io/azure-samples/aks-store-demo/product-service:latest","Specify an explicit image tag (e.g., ':v1.2.3') on every container and initContainer to ensure consistent deployments.","https://kubernetes.io/docs/concepts/containers/images/#image-tags"
"POD007","Container images do not use latest tag","Resource Management","critical","FAIL","Namespace: azure-store | Resource: pod/store-front-698cc8c565-f5hp5 | Message: Container store-front: Image uses latest tag | Value: ghcr.io/azure-samples/aks-store-demo/store-front:latest","Specify an explicit image tag (e.g., ':v1.2.3') on every container and initContainer to ensure consistent deployments.","https://kubernetes.io/docs/concepts/containers/images/#image-tags"
"POD008","Automounting API Credentials Enabled in Pods","Security","warning","FAIL","Namespace: azure-store | Resource: pod/order-service-65cc8855c-ghk9m | Message: Pod automounts API credentials","Set automountServiceAccountToken to false in Pod specs unless API access is required.","https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server"
"POD008","Automounting API Credentials Enabled in Pods","Security","warning","FAIL","Namespace: azure-store | Resource: pod/product-service-77ff9f6fd6-rzcxj | Message: Pod automounts API credentials","Set automountServiceAccountToken to false in Pod specs unless API access is required.","https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server"
"POD008","Automounting API Credentials Enabled in Pods","Security","warning","FAIL","Namespace: azure-store | Resource: pod/rabbitmq-5dcdf9484-kvgw7 | Message: Pod automounts API credentials","Set automountServiceAccountToken to false in Pod specs unless API access is required.","https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server"
"POD008","Automounting API Credentials Enabled in Pods","Security","warning","FAIL","Namespace: azure-store | Resource: pod/store-front-698cc8c565-f5hp5 | Message: Pod automounts API credentials","Set automountServiceAccountToken to false in Pod specs unless API access is required.","https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server"
"PROM001","High CPU Pods (Prometheus)","Performance","warning","PASS","","Investigate high CPU usage pods. Adjust limits or optimize workloads.","https://kubernetes.io/docs/concepts/cluster-administration/monitoring/"
"PROM002","High Memory Usage Pods (Prometheus)","Performance","warning","PASS","","Review memory usage and consider tuning container memory limits.","https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
"PROM003","High Network Receive Rate (Prometheus)","Networking","warning","PASS","","Check for possible DDoS, misrouted traffic, or excessive ingress.","https://kubernetes.io/docs/concepts/cluster-administration/networking/"
"PROM004","API Server High Latency","Control Plane","critical","PASS","","Investigate API server load, networking issues, or control plane bottlenecks.","https://kubernetes.io/docs/concepts/overview/components/"
"PROM005","Overcommitted CPU (Prometheus)","Capacity","info","PASS","","Consider rescheduling pods or adjusting requests.","https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
"PROM006","Node Sizing Insights (Prometheus)","Capacity","info","PASS","No issues detected for Node Sizing Insights (Prometheus).","Use p95 CPU and memory trends to right-size node pools. Downsize sustained low-use nodes and scale up when saturation is sustained. Recommendations use a fixed 7-day window to reduce query cost and improve reliability.","https://kubernetes.io/docs/concepts/cluster-administration/node-autoscaling/"
"PROM007","Pod Sizing Insights (Prometheus)","Capacity","info","PASS","No issues detected for Pod Sizing Insights (Prometheus).","Tune requests to p95 usage with headroom. By default, keep CPU limits unset to reduce CFS throttling risk; keep memory limits to cap OOM blast radius. Recommendations use a fixed 7-day window to reduce query cost and improve reliability.","https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
"PV001","Orphaned Persistent Volumes","Volumes","warning","PASS","No issues detected for Orphaned Persistent Volumes.","Review and delete orphaned Persistent Volumes to reclaim storage.","https://kubernetes.io/docs/concepts/storage/persistent-volumes/"
"PVC001","Unused Persistent Volume Claims","Volumes","warning","PASS","No issues detected for Unused Persistent Volume Claims.","Review and delete unused PVCs to reclaim storage.","https://kubernetes.io/docs/concepts/storage/persistent-volumes/"
"PVC002","PVCs Using Default StorageClass","Volumes","info","PASS","No issues detected for PVCs Using Default StorageClass.","Explicitly specify storageClassName in PVCs for clarity and portability, reducing reliance on default configurations.","https://kubernetes.io/docs/concepts/storage/persistent-volumes/"
"PVC003","ReadWriteMany PVCs on Incompatible Storage","Volumes","critical","PASS","No issues detected for ReadWriteMany PVCs on Incompatible Storage.","Change access mode to ReadWriteOnce if only one pod needs access, or use a shared file system (e.g., NFS, GlusterFS, CephFS) for ReadWriteMany.","https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes"
"PVC004","Unbound Persistent Volume Claims","Volumes","critical","PASS","No issues detected for Unbound Persistent Volume Claims.","Investigate why the PVC is stuck in Pending. This often indicates issues with the StorageClass, available PVs, or the underlying storage provisioner.","https://kubernetes.io/docs/concepts/storage/persistent-volumes/"
"RBAC001","RBAC Misconfigurations","RBAC","critical","PASS","No issues detected for RBAC Misconfigurations.","Fix missing roleRefs, service accounts, and invalid namespaces in RoleBindings and ClusterRoleBindings.","https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
"RBAC002","RBAC Overexposure","RBAC","critical","FAIL","Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/aks-cluster-admin-binding | Message: cluster-admin binding (built-in) | Value: User/clusterAdmin","Avoid cluster-admin, wildcard, and sensitive resource access in roles. Use least privilege.","https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
"RBAC002","RBAC Overexposure","RBAC","critical","FAIL","Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/aks-cluster-admin-binding | Message: cluster-admin binding (built-in) | Value: User/clusterUser","Avoid cluster-admin, wildcard, and sensitive resource access in roles. Use least privilege.","https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
"RBAC002","RBAC Overexposure","RBAC","critical","FAIL","Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/aks-cluster-admin-binding-aad | Message: cluster-admin binding (built-in) | Value: Group/c30f2960-28f8-49cc-9308-c1e741824c4f","Avoid cluster-admin, wildcard, and sensitive resource access in roles. Use least privilege.","https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
"RBAC002","RBAC Overexposure","RBAC","critical","FAIL","Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/aks-secretprovidersyncing-rolebinding | Message: Access to sensitive resources | Value: ServiceAccount/aks-secrets-store-csi-driver","Avoid cluster-admin, wildcard, and sensitive resource access in roles. Use least privilege.","https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
"RBAC002","RBAC Overexposure","RBAC","critical","FAIL","Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/aks-service-rolebinding | Message: Access to sensitive resources | Value: User/aks-support","Avoid cluster-admin, wildcard, and sensitive resource access in roles. Use least privilege.","https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
"RBAC002","RBAC Overexposure","RBAC","critical","FAIL","Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/ama-metrics-clusterrolebinding | Message: Access to sensitive resources | Value: ServiceAccount/ama-metrics-serviceaccount","Avoid cluster-admin, wildcard, and sensitive resource access in roles. Use least privilege.","https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
"RBAC002","RBAC Overexposure","RBAC","critical","FAIL","Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/cluster-admin | Message: cluster-admin binding (built-in) | Value: Group/system:masters","Avoid cluster-admin, wildcard, and sensitive resource access in roles. Use least privilege.","https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
"RBAC002","RBAC Overexposure","RBAC","critical","FAIL","Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/system:controller:clusterrole-aggregation-controller | Message: Access to sensitive resources (built-in) | Value: ServiceAccount/clusterrole-aggregation-controller","Avoid cluster-admin, wildcard, and sensitive resource access in roles. Use least privilege.","https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
"RBAC002","RBAC Overexposure","RBAC","critical","FAIL","Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/system:controller:legacy-service-account-token-cleaner | Message: Access to sensitive resources (built-in) | Value: ServiceAccount/legacy-service-account-token-cleaner","Avoid cluster-admin, wildcard, and sensitive resource access in roles. Use least privilege.","https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
"RBAC002","RBAC Overexposure","RBAC","critical","FAIL","Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/system:kube-controller-manager | Message: Access to sensitive resources (built-in) | Value: User/system:kube-controller-manager","Avoid cluster-admin, wildcard, and sensitive resource access in roles. Use least privilege.","https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
"RBAC002","RBAC Overexposure","RBAC","critical","FAIL","Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/system:kube-scheduler | Message: Access to sensitive resources (built-in) | Value: User/system:kube-scheduler","Avoid cluster-admin, wildcard, and sensitive resource access in roles. Use least privilege.","https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
"RBAC002","RBAC Overexposure","RBAC","critical","FAIL","Namespace: 🌍 Cluster-Wide | Resource: ClusterRoleBinding/system:persistent-volume-binding | Message: Access to sensitive resources (built-in) | Value: ServiceAccount/persistent-volume-binder","Avoid cluster-admin, wildcard, and sensitive resource access in roles. Use least privilege.","https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
"RBAC003","Orphaned ServiceAccounts","RBAC","warning","FAIL","Namespace: default | Resource: serviceaccount/default | Message: ServiceAccount not used by pods or RBAC bindings | Value: default","Clean up unused ServiceAccounts to avoid confusion and reduce RBAC clutter.","https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/"
"RBAC004","Orphaned and Ineffective Roles","RBAC","info","FAIL","Namespace: cluster-wide | Resource: clusterrolebinding/system:node | Message: ClusterRoleBinding has no subjects | Value: system:node","Delete Roles and ClusterRoles that are not bound or do not define any rules.","https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
"RBAC004","Orphaned and Ineffective Roles","RBAC","info","FAIL","Namespace: cluster-wide | Resource: clusterrole/aks-secretproviderclasses-admin-role | Message: Unused ClusterRole | Value: aks-secretproviderclasses-admin-role","Delete Roles and ClusterRoles that are not bound or do not define any rules.","https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
"RBAC004","Orphaned and Ineffective Roles","RBAC","info","FAIL","Namespace: cluster-wide | Resource: clusterrole/aks-secretproviderclasses-viewer-role | Message: Unused ClusterRole | Value: aks-secretproviderclasses-viewer-role","Delete Roles and ClusterRoles that are not bound or do not define any rules.","https://kubernetes.io/docs/reference/access-authn-authz/rbac/"
"SC001","Deprecated StorageClass Provisioners","StorageClasses","critical","PASS","No issues detected for Deprecated StorageClass Provisioners.","Migrate to a CSI-compliant StorageClass. This typically involves creating a new CSI-based StorageClass and then migrating existing PVCs.","https://kubernetes.io/docs/concepts/storage/storage-classes/#provisioner"
"SC002","AKS Azure In-Tree Storage Provisioners","StorageClasses","critical","PASS","No issues detected for AKS Azure In-Tree Storage Provisioners.","Migrate Azure storage classes to CSI drivers. Use disk.csi.azure.com or file.csi.azure.com instead of kubernetes.io/azure-disk and kubernetes.io/azure-file.","https://learn.microsoft.com/azure/aks/csi-storage-drivers"
"SC003","High Cluster Storage Usage","Utilization","warning","PASS","No issues detected for High Cluster Storage Usage.","Identify large volumes or inefficient applications, and consider scaling up storage or cleaning up old data.","https://kubernetes.io/docs/concepts/storage/volumes/"
"SC004","StorageClass Prevents Volume Expansion","StorageClasses","warning","FAIL","Namespace: (cluster) | Resource: storageclass/default | Message: StorageClass does not allow volume expansion. | Value: true","If dynamic volume resizing is desired, modify the StorageClass to set allowVolumeExpansion: true. Note: some underlying storage systems may not support this feature.","https://kubernetes.io/docs/concepts/storage/storage-classes/#allow-volume-expansion"
"SEC001","Orphaned Secrets","Security","warning","PASS","No issues detected for Orphaned Secrets.","Review and remove unused Secrets to reduce surface area and limit stale credentials.","https://kubernetes.io/docs/concepts/configuration/secret/"
"SEC002","Pods using hostPID or hostNetwork","Pods","critical","PASS","No issues detected for Pods using hostPID or hostNetwork.","Avoid using hostPID or hostNetwork unless strictly required. These settings reduce isolation and can expose the host.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline"
"SEC003","Pods Running as Root","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/order-service-65cc8855c-ghk9m | Message: Container order-service runs as root or has no runAsUser set | Value: Not Set (Defaults to root)","Avoid running pods as root by explicitly setting runAsUser to a non-zero UID in pod or container securityContext.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline"
"SEC003","Pods Running as Root","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/order-service-65cc8855c-ghk9m | Message: Container wait-for-rabbitmq runs as root or has no runAsUser set | Value: Not Set (Defaults to root)","Avoid running pods as root by explicitly setting runAsUser to a non-zero UID in pod or container securityContext.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline"
"SEC003","Pods Running as Root","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/order-service-65cc8855c-ghk9m | Message: Container runs as root or has no runAsUser set | Value: Not Set (Defaults to root)","Avoid running pods as root by explicitly setting runAsUser to a non-zero UID in pod or container securityContext.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline"
"SEC003","Pods Running as Root","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/product-service-77ff9f6fd6-rzcxj | Message: Container product-service runs as root or has no runAsUser set | Value: Not Set (Defaults to root)","Avoid running pods as root by explicitly setting runAsUser to a non-zero UID in pod or container securityContext.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline"
"SEC003","Pods Running as Root","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/product-service-77ff9f6fd6-rzcxj | Message: Container runs as root or has no runAsUser set | Value: Not Set (Defaults to root)","Avoid running pods as root by explicitly setting runAsUser to a non-zero UID in pod or container securityContext.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline"
"SEC003","Pods Running as Root","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/product-service-77ff9f6fd6-rzcxj | Message: Container runs as root or has no runAsUser set | Value: Not Set (Defaults to root)","Avoid running pods as root by explicitly setting runAsUser to a non-zero UID in pod or container securityContext.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline"
"SEC003","Pods Running as Root","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/rabbitmq-5dcdf9484-kvgw7 | Message: Container rabbitmq runs as root or has no runAsUser set | Value: Not Set (Defaults to root)","Avoid running pods as root by explicitly setting runAsUser to a non-zero UID in pod or container securityContext.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline"
"SEC003","Pods Running as Root","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/rabbitmq-5dcdf9484-kvgw7 | Message: Container runs as root or has no runAsUser set | Value: Not Set (Defaults to root)","Avoid running pods as root by explicitly setting runAsUser to a non-zero UID in pod or container securityContext.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline"
"SEC003","Pods Running as Root","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/rabbitmq-5dcdf9484-kvgw7 | Message: Container runs as root or has no runAsUser set | Value: Not Set (Defaults to root)","Avoid running pods as root by explicitly setting runAsUser to a non-zero UID in pod or container securityContext.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline"
"SEC003","Pods Running as Root","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/store-front-698cc8c565-f5hp5 | Message: Container store-front runs as root or has no runAsUser set | Value: Not Set (Defaults to root)","Avoid running pods as root by explicitly setting runAsUser to a non-zero UID in pod or container securityContext.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline"
"SEC003","Pods Running as Root","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/store-front-698cc8c565-f5hp5 | Message: Container runs as root or has no runAsUser set | Value: Not Set (Defaults to root)","Avoid running pods as root by explicitly setting runAsUser to a non-zero UID in pod or container securityContext.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline"
"SEC003","Pods Running as Root","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/store-front-698cc8c565-f5hp5 | Message: Container runs as root or has no runAsUser set | Value: Not Set (Defaults to root)","Avoid running pods as root by explicitly setting runAsUser to a non-zero UID in pod or container securityContext.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline"
"SEC004","Privileged Containers","Pod Security","critical","PASS","No issues detected for Privileged Containers.","Avoid using privileged containers unless absolutely necessary, as they grant broad access to host resources.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted"
"SEC005","Pods Using hostIPC","Pod Security","critical","PASS","No issues detected for Pods Using hostIPC.","Avoid using hostIPC in pods unless absolutely required for specific functionality.","https://kubernetes.io/docs/concepts/security/pod-security-standards/"
"SEC006","Pods Missing Secure Defaults","Pod Security","warning","FAIL","Namespace: azure-store | Resource: pod/order-service-65cc8855c-ghk9m | Message: Container order-service has no securityContext defined | Value: Missing securityContext","Set runAsNonRoot=true, readOnlyRootFilesystem=true, and allowPrivilegeEscalation=false for all pods and containers.","https://kubernetes.io/docs/concepts/security/pod-security-standards/"
"SEC006","Pods Missing Secure Defaults","Pod Security","warning","FAIL","Namespace: azure-store | Resource: pod/product-service-77ff9f6fd6-rzcxj | Message: Container product-service has no securityContext defined | Value: Missing securityContext","Set runAsNonRoot=true, readOnlyRootFilesystem=true, and allowPrivilegeEscalation=false for all pods and containers.","https://kubernetes.io/docs/concepts/security/pod-security-standards/"
"SEC006","Pods Missing Secure Defaults","Pod Security","warning","FAIL","Namespace: azure-store | Resource: pod/rabbitmq-5dcdf9484-kvgw7 | Message: Container rabbitmq has no securityContext defined | Value: Missing securityContext","Set runAsNonRoot=true, readOnlyRootFilesystem=true, and allowPrivilegeEscalation=false for all pods and containers.","https://kubernetes.io/docs/concepts/security/pod-security-standards/"
"SEC006","Pods Missing Secure Defaults","Pod Security","warning","FAIL","Namespace: azure-store | Resource: pod/store-front-698cc8c565-f5hp5 | Message: Container store-front has no securityContext defined | Value: Missing securityContext","Set runAsNonRoot=true, readOnlyRootFilesystem=true, and allowPrivilegeEscalation=false for all pods and containers.","https://kubernetes.io/docs/concepts/security/pod-security-standards/"
"SEC007","Missing Pod Security Admission Labels","Pod Security","info","FAIL","Namespace: azure-store | Issue: No pod security labels | Audit: N/A | Warn: N/A","Add 'pod-security.kubernetes.io/enforce' labels to your namespaces to enforce Pod Security standards. Use values like 'baseline' or 'restricted'.","https://kubernetes.io/docs/concepts/security/pod-security-admission/"
"SEC008","Secrets in Environment Variables","Pod Security","critical","PASS","No issues detected for Secrets in Environment Variables.","Avoid exposing secrets in environment variables. Mount secrets as volumes instead.","https://kubernetes.io/docs/concepts/configuration/secret/"
"SEC009","Missing Capabilities Drop","Pod Security","warning","FAIL","Namespace: azure-store | Resource: pod/order-service-65cc8855c-ghk9m | Message: Container order-service does not drop ALL capabilities","Explicitly drop all Linux capabilities unless specific ones are needed.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted"
"SEC009","Missing Capabilities Drop","Pod Security","warning","FAIL","Namespace: azure-store | Resource: pod/product-service-77ff9f6fd6-rzcxj | Message: Container product-service does not drop ALL capabilities","Explicitly drop all Linux capabilities unless specific ones are needed.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted"
"SEC009","Missing Capabilities Drop","Pod Security","warning","FAIL","Namespace: azure-store | Resource: pod/rabbitmq-5dcdf9484-kvgw7 | Message: Container rabbitmq does not drop ALL capabilities","Explicitly drop all Linux capabilities unless specific ones are needed.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted"
"SEC009","Missing Capabilities Drop","Pod Security","warning","FAIL","Namespace: azure-store | Resource: pod/store-front-698cc8c565-f5hp5 | Message: Container store-front does not drop ALL capabilities","Explicitly drop all Linux capabilities unless specific ones are needed.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted"
"SEC010","HostPath Volume Usage","Pod Security","critical","PASS","No issues detected for HostPath Volume Usage.","Avoid using hostPath unless absolutely necessary. Use persistent volumes instead.","https://kubernetes.io/docs/concepts/storage/volumes/#hostpath"
"SEC011","Containers Running as UID 0","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/order-service-65cc8855c-ghk9m | Message: Container order-service runs as UID 0 | Value: 0","Avoid setting runAsUser to 0. Use non-root UIDs for better isolation.","https://kubernetes.io/docs/concepts/security/pod-security-standards/"
"SEC011","Containers Running as UID 0","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/product-service-77ff9f6fd6-rzcxj | Message: Container product-service runs as UID 0 | Value: 0","Avoid setting runAsUser to 0. Use non-root UIDs for better isolation.","https://kubernetes.io/docs/concepts/security/pod-security-standards/"
"SEC011","Containers Running as UID 0","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/rabbitmq-5dcdf9484-kvgw7 | Message: Container rabbitmq runs as UID 0 | Value: 0","Avoid setting runAsUser to 0. Use non-root UIDs for better isolation.","https://kubernetes.io/docs/concepts/security/pod-security-standards/"
"SEC011","Containers Running as UID 0","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/store-front-698cc8c565-f5hp5 | Message: Container store-front runs as UID 0 | Value: 0","Avoid setting runAsUser to 0. Use non-root UIDs for better isolation.","https://kubernetes.io/docs/concepts/security/pod-security-standards/"
"SEC012","Added Linux Capabilities","Pod Security","warning","PASS","No issues detected for Added Linux Capabilities.","Avoid adding capabilities unless necessary. Most apps don’t need them.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted"
"SEC013","EmptyDir Volume Usage","Pod Security","info","PASS","No issues detected for EmptyDir Volume Usage.","Use persistent volumes or configMaps instead of EmptyDir when persistence is required.","https://kubernetes.io/docs/concepts/storage/volumes/#emptydir"
"SEC014","Untrusted Image Registries","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/order-service-65cc8855c-ghk9m | Message: Image from untrusted registry in container order-service | Value: ghcr.io/azure-samples/aks-store-demo/order-service:latest","Use only trusted registries. Restrict deployment sources via policy.","https://kubernetes.io/docs/concepts/containers/images/"
"SEC014","Untrusted Image Registries","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/product-service-77ff9f6fd6-rzcxj | Message: Image from untrusted registry in container product-service | Value: ghcr.io/azure-samples/aks-store-demo/product-service:latest","Use only trusted registries. Restrict deployment sources via policy.","https://kubernetes.io/docs/concepts/containers/images/"
"SEC014","Untrusted Image Registries","Pod Security","critical","FAIL","Namespace: azure-store | Resource: pod/store-front-698cc8c565-f5hp5 | Message: Image from untrusted registry in container store-front | Value: ghcr.io/azure-samples/aks-store-demo/store-front:latest","Use only trusted registries. Restrict deployment sources via policy.","https://kubernetes.io/docs/concepts/containers/images/"
"SEC015","Pods Using Default ServiceAccount","Pod Security","warning","FAIL","Namespace: azure-store | Resource: pod/order-service-65cc8855c-ghk9m | Message: Pod uses default ServiceAccount | Value: default","Assign a dedicated ServiceAccount to each workload with least-privilege permissions.","https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
"SEC015","Pods Using Default ServiceAccount","Pod Security","warning","FAIL","Namespace: azure-store | Resource: pod/product-service-77ff9f6fd6-rzcxj | Message: Pod uses default ServiceAccount | Value: default","Assign a dedicated ServiceAccount to each workload with least-privilege permissions.","https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
"SEC015","Pods Using Default ServiceAccount","Pod Security","warning","FAIL","Namespace: azure-store | Resource: pod/rabbitmq-5dcdf9484-kvgw7 | Message: Pod uses default ServiceAccount | Value: default","Assign a dedicated ServiceAccount to each workload with least-privilege permissions.","https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
"SEC015","Pods Using Default ServiceAccount","Pod Security","warning","FAIL","Namespace: azure-store | Resource: pod/store-front-698cc8c565-f5hp5 | Message: Pod uses default ServiceAccount | Value: default","Assign a dedicated ServiceAccount to each workload with least-privilege permissions.","https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
"SEC016","Unconfined Seccomp Profiles","Pod Security","critical","PASS","No issues detected for Unconfined Seccomp Profiles.","Use RuntimeDefault or Localhost seccomp profiles instead of Unconfined.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline"
"SEC017","Non-Default ProcMount","Pod Security","critical","PASS","No issues detected for Non-Default ProcMount.","Remove procMount overrides or set them to Default.","https://kubernetes.io/docs/concepts/security/pod-security-standards/"
"SEC018","Automounting API Credentials Enabled in ServiceAccounts","Security","warning","PASS","No issues detected for Automounting API Credentials Enabled in ServiceAccounts.","Set automountServiceAccountToken to false in ServiceAccount specs unless Pods require API access.","https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
"SEC019","Unsupported AppArmor Values","Pod Security","critical","PASS","No issues detected for Unsupported AppArmor Values.","Use RuntimeDefault or Localhost AppArmor profiles, or remove custom unsupported AppArmor values.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline"
"SEC020","Seccomp Profile Not Configured","Pod Security","warning","FAIL","Namespace: azure-store | Resource: pod/order-service-65cc8855c-ghk9m | Message: Container order-service has no explicit seccomp profile","Set seccompProfile.type to RuntimeDefault or Localhost at the pod or container level.","https://kubernetes.io/docs/concepts/security/linux-kernel-security-constraints/#seccomp"
"SEC020","Seccomp Profile Not Configured","Pod Security","warning","FAIL","Namespace: azure-store | Resource: pod/order-service-65cc8855c-ghk9m | Message: Container wait-for-rabbitmq has no explicit seccomp profile","Set seccompProfile.type to RuntimeDefault or Localhost at the pod or container level.","https://kubernetes.io/docs/concepts/security/linux-kernel-security-constraints/#seccomp"
"SEC020","Seccomp Profile Not Configured","Pod Security","warning","FAIL","Namespace: azure-store | Resource: pod/product-service-77ff9f6fd6-rzcxj | Message: Container product-service has no explicit seccomp profile","Set seccompProfile.type to RuntimeDefault or Localhost at the pod or container level.","https://kubernetes.io/docs/concepts/security/linux-kernel-security-constraints/#seccomp"
"SEC020","Seccomp Profile Not Configured","Pod Security","warning","FAIL","Namespace: azure-store | Resource: pod/rabbitmq-5dcdf9484-kvgw7 | Message: Container rabbitmq has no explicit seccomp profile","Set seccompProfile.type to RuntimeDefault or Localhost at the pod or container level.","https://kubernetes.io/docs/concepts/security/linux-kernel-security-constraints/#seccomp"
"SEC020","Seccomp Profile Not Configured","Pod Security","warning","FAIL","Namespace: azure-store | Resource: pod/store-front-698cc8c565-f5hp5 | Message: Container store-front has no explicit seccomp profile","Set seccompProfile.type to RuntimeDefault or Localhost at the pod or container level.","https://kubernetes.io/docs/concepts/security/linux-kernel-security-constraints/#seccomp"
"SEC021","Host Ports in Pod Specs","Pod Security","critical","PASS","No issues detected for Host Ports in Pod Specs.","Remove hostPort bindings and expose workloads using Services, Ingress, or Gateway APIs instead.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline"
"SEC022","Non-Existent Secret References","Pod Security","critical","PASS","No issues detected for Non-Existent Secret References.","Verify that all Secrets referenced by pods exist in the target namespace.","https://kubernetes.io/docs/concepts/configuration/secret/"
"SEC023","Disallowed Sysctls","Pod Security","critical","PASS","No issues detected for Disallowed Sysctls.","Remove non-baseline sysctls or redesign the workload to avoid kernel tuning inside the pod.","https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline"
"WRK001","DaemonSets Not Fully Running","Workloads","warning","PASS","No issues detected for DaemonSets Not Fully Running.","Investigate DaemonSets not fully running. Common causes include taints, node issues, or resource constraints.","https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/"
"WRK002","Deployment Missing Replicas","Workloads","warning","FAIL","Namespace: azure-store | Resource: deployment/order-service | Message: Deployment has fewer available replicas than desired. | Value: 0/1","Check Deployments that are not meeting their replica count. This may indicate rollout issues or failed pods.","https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"
"WRK002","Deployment Missing Replicas","Workloads","warning","FAIL","Namespace: azure-store | Resource: deployment/product-service | Message: Deployment has fewer available replicas than desired. | Value: 0/1","Check Deployments that are not meeting their replica count. This may indicate rollout issues or failed pods.","https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"
"WRK002","Deployment Missing Replicas","Workloads","warning","FAIL","Namespace: azure-store | Resource: deployment/rabbitmq | Message: Deployment has fewer available replicas than desired. | Value: 0/1","Check Deployments that are not meeting their replica count. This may indicate rollout issues or failed pods.","https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"
"WRK002","Deployment Missing Replicas","Workloads","warning","FAIL","Namespace: azure-store | Resource: deployment/store-front | Message: Deployment has fewer available replicas than desired. | Value: 0/1","Check Deployments that are not meeting their replica count. This may indicate rollout issues or failed pods.","https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"
"WRK003","StatefulSet Incomplete Rollout","Workloads","warning","PASS","No issues detected for StatefulSet Incomplete Rollout.","Investigate StatefulSets with missing ready replicas. This may indicate issues with pod readiness or volume binding.","https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/"
"WRK004","HPA Misconfiguration or Inactivity","Workloads","warning","PASS","No issues detected for HPA Misconfiguration or Inactivity.","Review HorizontalPodAutoscalers with missing targets, no metrics, or disabled scaling.","https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/"
"WRK005","Missing Resource Requests","Workloads","warning","PASS","No issues detected for Missing Resource Requests.","Define cpu and memory requests on all containers.","https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
"WRK006","PDB Coverage and Effectiveness","PDBs","critical","PASS","No issues detected for PDB Coverage and Effectiveness.","Workloads should have a valid PDB to prevent availability issues during disruptions.","https://kubernetes.io/docs/tasks/run-application/configure-pdb/"
"WRK007","Missing Readiness and Liveness Probes","Probes","warning","FAIL","Namespace: azure-store | Resource: deployment/order-service | Message: readiness, liveness missing | Value: order-service","Add readiness and liveness probes to all containers to improve availability and fault detection.","https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/"
"WRK007","Missing Readiness and Liveness Probes","Probes","warning","FAIL","Namespace: azure-store | Resource: deployment/product-service | Message: readiness, liveness missing | Value: product-service","Add readiness and liveness probes to all containers to improve availability and fault detection.","https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/"
"WRK007","Missing Readiness and Liveness Probes","Probes","warning","FAIL","Namespace: azure-store | Resource: deployment/rabbitmq | Message: readiness, liveness missing | Value: rabbitmq","Add readiness and liveness probes to all containers to improve availability and fault detection.","https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/"
"WRK007","Missing Readiness and Liveness Probes","Probes","warning","FAIL","Namespace: azure-store | Resource: deployment/store-front | Message: readiness, liveness missing | Value: store-front","Add readiness and liveness probes to all containers to improve availability and fault detection.","https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/"
"WRK008","Deployment Selector Without Matching Pods","Workloads","warning","PASS","No issues detected for Deployment Selector Without Matching Pods.","Ensure that pod labels match the Deployment selector.","https://kubernetes.io/docs/concepts/workloads/controllers/deployment/"
"WRK009","Deployment, Pod, and Service Label Consistency","Workloads","warning","PASS","No issues detected for Deployment, Pod, and Service Label Consistency.","Ensure Deployment selectors, Pod labels, and related Service selectors are consistent and aligned.","https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/"
"WRK010","HPA Metrics Without Matching Resource Requests","Workloads","warning","PASS","No issues detected for HPA Metrics Without Matching Resource Requests.","Set resource requests for HPA-managed workloads so autoscaling decisions are based on valid utilization signals.","https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/"
"WRK011","VPA Update Mode and Declarative Resource Conflict Risk","Workloads","warning","PASS","No issues detected for VPA Update Mode and Declarative Resource Conflict Risk.","Use VPA Off/Initial for recommendation-only flows, or tune ownership boundaries when combining VPA with HPA/GitOps.","https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler"
"WRK012","PodDisruptionBudget Adequacy for Replicated Workloads","Workloads","warning","PASS","No issues detected for PodDisruptionBudget Adequacy for Replicated Workloads.","Add or tune PDBs so maintenance can proceed safely without over-restricting disruption.","https://kubernetes.io/docs/tasks/run-application/configure-pdb/"
"WRK013","CrashLoopBackOff and OOMKilled Guardrail","Workloads","critical","PASS","No issues detected for CrashLoopBackOff and OOMKilled Guardrail.","Stabilize CrashLoop/OOM pods before applying aggressive right-sizing changes.","https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/"
"WRK014","Missing Memory Limits","Workloads","warning","PASS","No issues detected for Missing Memory Limits.","Define a memory limit on all containers to reduce the risk of node OOM pressure.","https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
"WRK015","Replicated Workloads Missing Spread Constraints","Workloads","warning","PASS","No issues detected for Replicated Workloads Missing Spread Constraints.","Add pod anti-affinity or topology spread constraints to replicated workloads.","https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/"
"AKSBP001","Allowed Container Images Policy Enforcement","Best Practices","High","FAIL","Container image restriction policies are not enforced, allowing deployment of images from any registry including public registries, untrusted sources, or images with known vulnerabilities. This significantly increases supply chain attack risks and compliance violations.","Deploy the Azure Policy initiative 'Kubernetes cluster pod security restricted standards' and configure specific allowed container registries. Use 'az policy assignment create' to assign the policy and set enforcement to 'deny' mode for production environments.","https://learn.microsoft.com/azure/aks/policy-reference"
"AKSBP002","No Privileged Containers Policy Enforcement","Best Practices","High","FAIL","Privileged container policies are not enforced, allowing workloads to run with full root privileges, access host devices, mount host file systems, and potentially escape container boundaries. This creates severe security risks and violates least-privilege principles.","Enable the 'Do not allow privileged containers' Azure Policy definition in enforce mode. Use Pod Security Standards with 'restricted' profile to block privileged containers and ensure security baseline compliance.","https://learn.microsoft.com/azure/aks/policy-reference"
"AKSBP003","Multiple Node Pools","Best Practices","Medium","FAIL","Single node pool configuration limits workload isolation, scaling flexibility, and security boundaries. All workloads share the same VM size, OS configuration, and scaling parameters, making it impossible to optimize for different application requirements or implement proper security zones.","Create separate node pools for different workload types using 'az aks nodepool add --resource-group <rg> --cluster-name <cluster> --name <pool-name>'. Use system pools for system pods, user pools for applications, and specialized pools (GPU, memory-optimized) for specific workloads.","https://learn.microsoft.com/azure/aks/use-multiple-node-pools"
"AKSBP004","Azure Linux as Host OS","Best Practices","High","PASS","0","Azure Linux as Host OS is enabled.","https://learn.microsoft.com/azure/aks/use-azure-linux"
"AKSBP005","Ephemeral OS Disks Enabled","Best Practices","Medium","PASS","0","Ephemeral OS Disks Enabled is enabled.","https://learn.microsoft.com/azure/aks/concepts-storage#ephemeral-os-disk"
"AKSBP006","Non-Ephemeral Disks with Adequate Size","Best Practices","Medium","PASS","0","Non-Ephemeral Disks with Adequate Size is enabled.","https://learn.microsoft.com/azure/aks/concepts-storage#managed-os-disks"
"AKSBP007","System Node Pool Taint","Best Practices","High","PASS","true","System Node Pool Taint is enabled.","https://learn.microsoft.com/azure/aks/use-system-pools?tabs=azure-cli#system-and-user-node-pools"
"AKSBP008","Auto Upgrade Channel Configured","Best Practices","Medium","FAIL","Automatic cluster upgrades are disabled, leaving the cluster vulnerable to security patches, bug fixes, and Kubernetes version support expiration. Manual upgrade management increases operational overhead and delays critical security updates.","Configure auto upgrade using 'az aks update --resource-group <rg> --name <cluster> --auto-upgrade-channel patch' for security patches or 'stable' for minor version updates. Use maintenance windows to control upgrade timing and minimize disruption.","https://learn.microsoft.com/azure/aks/auto-upgrade-cluster?tabs=azure-cli"
"AKSBP009","Node OS Upgrade Channel Configured","Best Practices","Medium","FAIL","Node OS automatic updates are disabled, leaving nodes running outdated OS versions with potential security vulnerabilities, missing security patches, and outdated system libraries. This increases the attack surface and compliance risks.","Enable node OS upgrade using 'az aks update --resource-group <rg> --name <cluster> --node-os-upgrade-channel NodeImage' for automatic OS updates. Use 'SecurityPatch' for security-only updates or configure maintenance windows for controlled updates.","https://learn.microsoft.com/azure/aks/auto-upgrade-node-os-image?tabs=azure-cli"
"AKSBP010","Customized MC_ Resource Group Name","Best Practices","Medium","PASS","true","Customized MC_ Resource Group Name is enabled.","https://learn.microsoft.com/azure/aks/faq#can-i-provide-my-own-name-for-the-aks-node-resource-group-"
"AKSBP011","System Node Pool Has Minimum Two Nodes","Best Practices","High","PASS","true","System Node Pool Has Minimum Two Nodes is enabled.","https://learn.microsoft.com/azure/aks/use-system-pools?tabs=azure-cli#recommendations"
"AKSBP012","Node Pool Version Matches Control Plane","Best Practices","Medium","PASS","true","Node Pool Version Matches Control Plane is enabled.","https://learn.microsoft.com/azure/aks/upgrade-cluster#check-the-current-kubernetes-version"
"AKSBP013","No B-Series VMs in Node Pools","Best Practices","High","PASS","0","No B-Series VMs in Node Pools is enabled.","https://learn.microsoft.com/azure/aks/best-practices-app-cluster-reliability#do-not-use-b-series-vms"
"AKSBP014","Use v5 or Newer SKU VMs for Node Pools","Best Practices","Medium","FAIL","Node pools are using older VM generations (v4 or earlier) that have reduced performance, lack modern security features, don't support ephemeral OS disks by default, and may experience more frequent maintenance events affecting availability and reliability.","Upgrade to v5 or newer VM SKUs using 'az aks nodepool add --vm-size Standard_D2s_v5' for new node pools. v5 SKUs provide better performance, support ephemeral OS disks by default, and have improved reliability during maintenance events and upgrades.","https://learn.microsoft.com/en-us/azure/aks/best-practices-app-cluster-reliability#v5-sku-vms"
"AKSBP015","Deployment Safeguards Enabled","Best Practices","Medium","FAIL","Deployment Safeguards are disabled, allowing non-compliant workloads to be deployed without validation of Kubernetes best practices. This leads to deployments without resource requests/limits, missing health probes, no anti-affinity rules, and other configuration issues that impact reliability and cost.","Enable Deployment Safeguards using 'az aks update --resource-group <rg> --name <cluster> --safeguards-level Warning' for alerting or 'Enforcement' to block non-compliant deployments. This enforces best practices including resource requests, readiness/liveness probes, pod anti-affinity, and Pod Security Standards.","https://learn.microsoft.com/azure/aks/deployment-safeguards"
"AKSDR001","Agent Pools with Availability Zones","Disaster Recovery","High","PASS","0","Agent Pools with Availability Zones is enabled.","https://learn.microsoft.com/azure/aks/availability-zones"
"AKSDR002","Control Plane SLA","Disaster Recovery","Medium","PASS","true","Control Plane SLA is enabled.","https://learn.microsoft.com/azure/aks/free-standard-pricing-tiers"
"AKSIAM001","RBAC Enabled","Identity & Access","High","PASS","true","RBAC Enabled is enabled.","https://learn.microsoft.com/azure/aks/manage-azure-rbac?tabs=azure-cli"
"AKSIAM002","Managed Identity","Identity & Access","High","PASS","UserAssigned","Managed Identity is enabled.","https://learn.microsoft.com/azure/aks/use-managed-identity"
"AKSIAM003","Workload Identity Enabled","Identity & Access","Medium","PASS","true","Workload Identity Enabled is enabled.","https://learn.microsoft.com/azure/aks/workload-identity-overview"
"AKSIAM004","Managed Identity Used","Identity & Access","High","PASS","UserAssigned","Managed Identity Used is enabled.","https://learn.microsoft.com/azure/aks/use-managed-identity"
"AKSIAM005","AAD RBAC Authorization Integrated","Identity & Access","High","PASS","true","AAD RBAC Authorization Integrated is enabled.","https://learn.microsoft.com/azure/aks/enable-authentication-microsoft-entra-id"
"AKSIAM006","AAD Managed Authentication Enabled","Identity & Access","High","PASS","true","AAD Managed Authentication Enabled is enabled.","https://learn.microsoft.com/azure/aks/manage-azure-rbac?tabs=azure-cli"
"AKSIAM007","Local Accounts Disabled","Identity & Access","High","PASS","true","Local Accounts Disabled is enabled.","https://learn.microsoft.com/azure/aks/manage-local-accounts-managed-azure-ad"
"AKSMON001","Azure Monitor","Monitoring & Logging","High","PASS","true","Azure Monitor is enabled.","https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-overview"
"AKSMON002","Managed Prometheus Enabled","Monitoring & Logging","High","PASS","true","Managed Prometheus Enabled is enabled.","https://learn.microsoft.com/azure/azure-monitor/essentials/prometheus-metrics-overview"
"AKSNET001","Authorized IP Ranges Configured (Public Clusters)","Networking","High","FAIL","API server accepts connections from any internet IP address, creating a large attack surface for brute force attacks, credential stuffing, and vulnerability exploitation. This violates network security best practices and most compliance frameworks.","Configure authorized IP ranges using 'az aks update --resource-group <rg> --name <cluster> --api-server-authorized-ip-ranges <ip-ranges>'. Include management networks, CI/CD systems, and jump boxes using CIDR notation. Alternatively, migrate to a private cluster for enhanced security.","https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges"
"AKSNET002","Network Policy Check","Networking","Medium","PASS","true","Network Policy Check is enabled.","https://learn.microsoft.com/azure/aks/operator-best-practices-network#control-traffic-flow-with-network-policies"
"AKSNET003","Web App Routing Enabled","Networking","Low","FAIL","Web App Routing add-on is disabled, requiring manual ingress controller management, DNS configuration, and SSL certificate handling. This increases operational overhead and may lead to inconsistent external access patterns and security configurations.","Enable Web App Routing using 'az aks enable-addons --resource-group <rg> --name <cluster> --addons web_application_routing'. Configure DNS zones and SSL certificates for automatic ingress management. Consider using Application Gateway Ingress Controller (AGIC) for enterprise scenarios.","https://learn.microsoft.com/azure/aks/web-app-routing"
"AKSNET004","Azure CNI with Cilium Dataplane Recommended","Networking","Medium","PASS","true","Azure CNI with Cilium Dataplane Recommended is enabled.","https://learn.microsoft.com/azure/aks/azure-cni-powered-by-cilium"
"AKSRES001","Cluster Autoscaler","Resource Management","Medium","PASS","true","Cluster Autoscaler is enabled.","https://learn.microsoft.com/azure/aks/cluster-autoscaler"
"AKSRES002","AKS Built-in Cost Tooling Enabled","Resource Management","Medium","FAIL","Cost analysis and OpenCost integration is disabled, providing no visibility into per-namespace, per-workload, or per-application spending. This makes it impossible to implement cost allocation, identify expensive workloads, optimize resource usage, or implement chargeback policies for different teams.","Enable cost analysis using 'az aks update --resource-group <rg> --name <cluster> --enable-cost-analysis' to track namespace and workload-level costs. Use the cost insights to identify expensive workloads, optimize resource requests, and implement chargeback/showback policies.","https://learn.microsoft.com/azure/aks/cost-analysis"
"AKSRES003","Vertical Pod Autoscaler (VPA) is enabled","Resource Management","Medium","PASS","true","Vertical Pod Autoscaler (VPA) is enabled is enabled.","https://learn.microsoft.com/azure/aks/vertical-pod-autoscaler"
"AKSRES004","KEDA (Event-Driven Autoscaling) Enabled","Resource Management","Low","PASS","true","KEDA (Event-Driven Autoscaling) Enabled is enabled.","https://learn.microsoft.com/azure/aks/keda-about"
"AKSRES005","Node Auto-provisioning or Cluster Autoscaler Configured","Resource Management","High","PASS","true","Node Auto-provisioning or Cluster Autoscaler Configured is enabled.","https://learn.microsoft.com/azure/aks/node-auto-provisioning"
"AKSSEC001","Private Cluster","Security","High","FAIL","API server is publicly accessible from the internet, exposing your cluster to potential attacks, unauthorized access attempts, and compliance violations. This creates a significant security risk as attackers can attempt to exploit Kubernetes API vulnerabilities.","Configure as a private cluster using 'az aks create --enable-private-cluster' or 'az aks update --enable-private-cluster' for existing clusters. This routes API server traffic through private endpoints within your VNet. Configure private DNS zones and ensure network connectivity from management machines.","https://learn.microsoft.com/azure/aks/private-clusters"
"AKSSEC002","Azure Policy Add-on","Security","Medium","PASS","true","Azure Policy Add-on is enabled.","https://learn.microsoft.com/azure/aks/policy-reference"
"AKSSEC003","Defender for Containers","Security","High","PASS","true","Defender for Containers is enabled.","https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction"
"AKSSEC004","OIDC Issuer Enabled","Security","Medium","PASS","true","OIDC Issuer Enabled is enabled.","https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster"
"AKSSEC005","Azure Key Vault Integration","Security","High","PASS","true","Azure Key Vault Integration is enabled.","https://learn.microsoft.com/azure/aks/csi-secrets-store-driver"
"AKSSEC006","Image Cleaner Enabled","Security","Medium","FAIL","Image Cleaner is disabled, allowing stale and potentially vulnerable container images to accumulate on node disks. This increases storage costs, extends attack surface with outdated images containing known CVEs, and can impact node performance due to disk space consumption.","Enable Image Cleaner using 'az aks update --resource-group <rg> --name <cluster> --enable-image-cleaner'. Configure cleaning interval and retention policies to automatically remove unused container images and reduce attack surface.","https://learn.microsoft.com/azure/aks/image-cleaner"
"AKSSEC007","Kubernetes Dashboard Disabled","Security","High","PASS","false","Kubernetes Dashboard Disabled is enabled.","https://learn.microsoft.com/azure/aks/kubernetes-dashboard"
"AKSSEC008","Pod Security Admission Enabled","Security","High","FAIL","Pod Security Admission is not configured on this cluster, meaning there are no built-in Kubernetes security controls to prevent insecure pod configurations. Without PSA, pods can run with dangerous settings like privileged mode, host network access, or unsafe capabilities, increasing container escape risks.","Configure Pod Security Admission by setting pod security standards on namespaces. Use 'kubectl label namespace <namespace> pod-security.kubernetes.io/enforce=restricted pod-security.kubernetes.io/audit=restricted pod-security.kubernetes.io/warn=restricted' for production namespaces. Consider 'baseline' for less restrictive environments. This is separate from Azure Policy and provides Kubernetes-native security controls.","https://learn.microsoft.com/azure/aks/use-psa"
"AKSAUTO","AKS Automatic Migration Readiness","AKS Automatic","Info","Not Ready","Fix blocker findings before migrating workloads to a new AKS Automatic cluster.","",""
"AKSAUTO","AKS Automatic Migration Readiness","AKS Automatic","Info","Blockers","1","",""
"AKSAUTO","AKS Automatic Migration Readiness","AKS Automatic","Info","Warnings","3","",""
"AKSAUTO","AKS Automatic Migration Readiness","AKS Automatic","Info","Alignment Failed","2","",""
"AKSAUTO","AKS Automatic Migration Readiness","AKS Automatic","Info","Alignment Passed","8","",""