Summary
Nodes
Namespaces
Workloads
Pods
Jobs
Networking
Storage
Configuration
Security
Kubernetes Events
AKS Best Practices

Cluster Overview

Cluster Health Score

Score: 37 / 100

37%

This score is calculated from key checks across nodes, workloads, security, and configuration best practices. A higher score means fewer issues and better adherence to Kubernetes standards.

API Server Health

latency (p99): 5 ms

Liveness: livez check passed expand_more

[+]ping ok
[+]log ok
[+]etcd ok
[+]poststarthook/start-apiserver-admission-initializer ok
[+]poststarthook/generic-apiserver-start-informers ok
[+]poststarthook/priority-and-fairness-config-consumer ok
[+]poststarthook/priority-and-fairness-filter ok
[+]poststarthook/storage-object-count-tracker-hook ok
[+]poststarthook/start-apiextensions-informers ok
[+]poststarthook/start-apiextensions-controllers ok
[+]poststarthook/crd-informer-synced ok
[+]poststarthook/start-service-ip-repair-controllers ok
[+]poststarthook/rbac/bootstrap-roles ok
[+]poststarthook/scheduling/bootstrap-system-priority-classes ok
[+]poststarthook/priority-and-fairness-config-producer ok
[+]poststarthook/start-system-namespaces-controller ok
[+]poststarthook/bootstrap-controller ok
[+]poststarthook/start-cluster-authentication-info-controller ok
[+]poststarthook/start-kube-apiserver-identity-lease-controller ok
[+]poststarthook/start-kube-apiserver-identity-lease-garbage-collector ok
[+]poststarthook/start-legacy-token-tracking-controller ok
[+]poststarthook/aggregator-reload-proxy-client-cert ok
[+]poststarthook/start-kube-aggregator-informers ok
[+]poststarthook/apiservice-registration-controller ok
[+]poststarthook/apiservice-status-available-controller ok
[+]poststarthook/apiservice-discovery-controller ok
[+]poststarthook/kube-apiserver-autoregistration ok
[+]autoregister-completion ok
[+]poststarthook/apiservice-openapi-controller ok
[+]poststarthook/apiservice-openapiv3-controller ok
livez check passed

Readiness: readyz check passed expand_more

[+]ping ok
[+]log ok
[+]etcd ok
[+]etcd-readiness ok
[+]informer-sync ok
[+]poststarthook/start-apiserver-admission-initializer ok
[+]poststarthook/generic-apiserver-start-informers ok
[+]poststarthook/priority-and-fairness-config-consumer ok
[+]poststarthook/priority-and-fairness-filter ok
[+]poststarthook/storage-object-count-tracker-hook ok
[+]poststarthook/start-apiextensions-informers ok
[+]poststarthook/start-apiextensions-controllers ok
[+]poststarthook/crd-informer-synced ok
[+]poststarthook/start-service-ip-repair-controllers ok
[+]poststarthook/rbac/bootstrap-roles ok
[+]poststarthook/scheduling/bootstrap-system-priority-classes ok
[+]poststarthook/priority-and-fairness-config-producer ok
[+]poststarthook/start-system-namespaces-controller ok
[+]poststarthook/bootstrap-controller ok
[+]poststarthook/start-cluster-authentication-info-controller ok
[+]poststarthook/start-kube-apiserver-identity-lease-controller ok
[+]poststarthook/start-kube-apiserver-identity-lease-garbage-collector ok
[+]poststarthook/start-legacy-token-tracking-controller ok
[+]poststarthook/aggregator-reload-proxy-client-cert ok
[+]poststarthook/start-kube-aggregator-informers ok
[+]poststarthook/apiservice-registration-controller ok
[+]poststarthook/apiservice-status-available-controller ok
[+]poststarthook/apiservice-discovery-controller ok
[+]poststarthook/kube-apiserver-autoregistration ok
[+]autoregister-completion ok
[+]poststarthook/apiservice-openapi-controller ok
[+]poststarthook/apiservice-openapiv3-controller ok
[+]shutdown ok
readyz check passed

Passed / Failed Checks

Cluster Summary

Cluster Name: aks-0402-dev-uks

Kubernetes Version: v1.30.11

Cluster is running an outdated version: v1.30.11 (Latest: v1.32.3)

Cluster Metrics Summary iSummary of metrics including node and pod counts, warnings, and issues.

🚀 Nodes: 6	🟩 Healthy: 6	🟥 Issues: 0
📦 Pods: 134	🟩 Running: 134	🟥 Failed: 0
🔄 Restarts: 1	🟨 Warnings: 0	🟥 Critical: 0
⏳ Pending Pods: 0	🟡 Waiting: 0
⚠️ Stuck Pods: 0	❌ Stuck: 0
📉 Job Failures: 0	🔴 Failed: 0

Pod Distribution iAverage, min, and max pods per node and total node count.

Avg: 22.3

Max: 29

Min: 14

Total Nodes: 6

Resource Usage iCluster-wide CPU and memory usage.

🖥 CPU: 51.4%
🟡 Warning

💾 Memory: 4.74%
🟩 Normal

Cluster Events iSummary of recent warning and error events.

❌ Errors: 0

⚠️ Warnings: 0

Node Conditions & Resources

NODE001 - Node Readiness and Conditions iDetects nodes that are not in Ready state or reporting other warning conditions.

✅ All Nodes are healthy.

Show Findings

Recommendations

Use kubectl describe node to check conditions and taints.
Check kubelet and container runtime status.
Verify cluster networking and node resource pressure.

Node	Status	Issues
aks-systempool-19995743-vmss00000m	✅ Healthy	None
aks-systempool-19995743-vmss00000n	✅ Healthy	None
aks-systempool-19995743-vmss00000o	✅ Healthy	None
aks-workloadpool-10479701-vmss00000e	✅ Healthy	None
aks-workloadpool-10479701-vmss00000f	✅ Healthy	None
aks-workloadpool-10479701-vmss00000g	✅ Healthy	None

NODE002 - Node Resource Pressure iDetects nodes under high CPU, memory, or disk pressure.

⚠️ Total Nodes with Issues: 3

Show Findings

Recommendations

Review node workloads with kubectl top nodes.
Move resource-hungry pods to less loaded nodes.
Scale node pool or optimize workloads if necessary.

Node	CPU Status	CPU %	CPU Used	CPU Total	Mem Status	Mem %	Mem Used	Mem Total	Disk %	Disk Status
aks-systempool-19995743-vmss00000m	✅ Normal	8.42%	160 mC	1900 mC	🟡 Warning	53.11%	3470 Mi	6533 Mi	53%	✅ Normal
aks-systempool-19995743-vmss00000n	✅ Normal	8.58%	163 mC	1900 mC	🟡 Warning	53.56%	3499 Mi	6533 Mi	53%	✅ Normal
aks-systempool-19995743-vmss00000o	✅ Normal	7.58%	144 mC	1900 mC	🟡 Warning	52.55%	3433 Mi	6533 Mi	52%	✅ Normal
aks-workloadpool-10479701-vmss00000e	✅ Normal	30.93%	1194 mC	3860 mC	✅ Normal	23.35%	3405 Mi	14584 Mi	23%	✅ Normal
aks-workloadpool-10479701-vmss00000f	✅ Normal	30.52%	1178 mC	3860 mC	✅ Normal	17.86%	2604 Mi	14584 Mi	17%	✅ Normal
aks-workloadpool-10479701-vmss00000g	✅ Normal	3.91%	151 mC	3860 mC	✅ Normal	15.14%	2208 Mi	14584 Mi	15%	✅ Normal

Namespaces

NS001 - Empty Namespaces iFinds namespaces with no running pods.

⚠️ Total Namespaces with Issues: 14

Show Findings

Recommendations

Check if any other resources (PVCs, Secrets) exist before deleting.
Use kubectl get all -n to inspect.
Clean up empty namespaces to reduce clutter.

Namespace	Status
1	📂 Empty
10	📂 Empty
2	📂 Empty
3	📂 Empty
4	📂 Empty
5	📂 Empty
6	📂 Empty
7	📂 Empty
8	📂 Empty
9	📂 Empty
aks-istio-egress	📂 Empty
default	📂 Empty
kube-node-lease	📂 Empty
kube-public	📂 Empty

NS002 - Missing or Weak ResourceQuotas iDetects namespaces with missing or incomplete ResourceQuota definitions.

⚠️ Total ResourceQuotas with Issues: 32

Show Findings

Recommendations

Define limits using ResourceQuota for pods, memory, and CPU.
Helps avoid over-provisioning and noisy neighbor issues.
Review quotas using kubectl describe quota -n .

Issue	Namespace
❌ No ResourceQuota	1
❌ No ResourceQuota	10
❌ No ResourceQuota	2
❌ No ResourceQuota	3
❌ No ResourceQuota	4
❌ No ResourceQuota	5
❌ No ResourceQuota	6
❌ No ResourceQuota	7
❌ No ResourceQuota	8
❌ No ResourceQuota	9
❌ No ResourceQuota	aks-istio-egress
❌ No ResourceQuota	aks-istio-ingress
❌ No ResourceQuota	aks-istio-system
❌ No ResourceQuota	app-routing-system
❌ No ResourceQuota	argo-rollouts
❌ No ResourceQuota	argo-workflows
❌ No ResourceQuota	argocd
❌ No ResourceQuota	cert-manager
❌ No ResourceQuota	default
❌ No ResourceQuota	gatekeeper-system
❌ No ResourceQuota	grafana
❌ No ResourceQuota	kiali-operator
❌ No ResourceQuota	kube-node-lease
❌ No ResourceQuota	kube-public
❌ No ResourceQuota	kube-system
❌ No ResourceQuota	kubeview
❌ No ResourceQuota	linkerd
❌ No ResourceQuota	nginx
❌ No ResourceQuota	pets
❌ No ResourceQuota	prometheus
❌ No ResourceQuota	sealed-secrets
❌ No ResourceQuota	test

NS003 - Missing LimitRanges iDetects namespaces without a defined LimitRange.

⚠️ Total LimitRanges with Issues: 32

Show Findings

Recommendations

LimitRanges define default and max values for CPU/memory.
Prevents pods from using unlimited resources.
Use kubectl create limitrange ... or kubectl describe limitrange -n .

Issue	Namespace
❌ No LimitRange	1
❌ No LimitRange	10
❌ No LimitRange	2
❌ No LimitRange	3
❌ No LimitRange	4
❌ No LimitRange	5
❌ No LimitRange	6
❌ No LimitRange	7
❌ No LimitRange	8
❌ No LimitRange	9
❌ No LimitRange	aks-istio-egress
❌ No LimitRange	aks-istio-ingress
❌ No LimitRange	aks-istio-system
❌ No LimitRange	app-routing-system
❌ No LimitRange	argo-rollouts
❌ No LimitRange	argo-workflows
❌ No LimitRange	argocd
❌ No LimitRange	cert-manager
❌ No LimitRange	default
❌ No LimitRange	gatekeeper-system
❌ No LimitRange	grafana
❌ No LimitRange	kiali-operator
❌ No LimitRange	kube-node-lease
❌ No LimitRange	kube-public
❌ No LimitRange	kube-system
❌ No LimitRange	kubeview
❌ No LimitRange	linkerd
❌ No LimitRange	nginx
❌ No LimitRange	pets
❌ No LimitRange	prometheus
❌ No LimitRange	sealed-secrets
❌ No LimitRange	test

Workloads

WRK001 - DaemonSets Not Fully Running iDetects DaemonSets that have fewer running pods than desired.

✅ All DaemonSets are healthy.

WRK002 - Deployment Missing Replicas iDetects Deployments where the number of available replicas is less than desired.

✅ All Deployments are healthy.

WRK003 - StatefulSet Incomplete Rollout iDetects StatefulSets where the number of ready replicas is less than the desired count.

✅ All StatefulSets are healthy.

WRK004 - HPA Misconfiguration or Inactivity iChecks for HPAs that have missing targets, no metrics, or inactive scaling.

✅ All HorizontalPodAutoscalers are healthy.

WRK005 - Missing Resource Requests or Limits iChecks for containers that are missing CPU or memory resource requests or limits.

⚠️ Total Pods with Issues: 90

Show Findings

Recommendations

Add resources.requests.cpu and resources.requests.memory to every container.
Also specify resources.limits.cpu and resources.limits.memory.
Review workloads using kubectl get deploy,statefulset,daemonset -A -o yaml.
Apply missing limits to avoid resource starvation and enforce scheduling constraints.

Message	Namespace	Resource	Value
CPU and Memory Requests and CPU and Memory Limits missing	aks-istio-ingress	Deployment/aks-istio-ingressgateway-external-asm-1-23	istio-proxy
CPU and Memory Requests and CPU and Memory Limits missing	aks-istio-system	Deployment/istiod-asm-1-23	discovery
CPU and Memory Requests and CPU and Memory Limits missing	app-routing-system	Deployment/nginx	controller
CPU and Memory Requests and CPU and Memory Limits missing	argo-rollouts	Deployment/simple-deployment	webserver-simple
CPU and Memory Requests and CPU and Memory Limits missing	argo-workflows	Deployment/simple-deployment	webserver-simple
CPU and Memory Requests and CPU and Memory Limits missing	argocd	Deployment/argocd-applicationset-controller	argocd-applicationset-controller
CPU and Memory Requests and CPU and Memory Limits missing	argocd	Deployment/argocd-dex-server	dex
CPU and Memory Requests and CPU and Memory Limits missing	argocd	Deployment/argocd-dex-server	copyutil
CPU and Memory Requests and CPU and Memory Limits missing	argocd	Deployment/argocd-notifications-controller	argocd-notifications-controller
CPU and Memory Requests and CPU and Memory Limits missing	argocd	Deployment/argocd-redis-ha-haproxy	haproxy
CPU and Memory Requests and CPU and Memory Limits missing	argocd	Deployment/argocd-redis-ha-haproxy	secret-init
CPU and Memory Requests and CPU and Memory Limits missing	argocd	Deployment/argocd-redis-ha-haproxy	config-init
CPU and Memory Requests and CPU and Memory Limits missing	argocd	Deployment/argocd-repo-server	argocd-repo-server
CPU and Memory Requests and CPU and Memory Limits missing	argocd	Deployment/argocd-repo-server	copyutil
CPU and Memory Requests and CPU and Memory Limits missing	argocd	Deployment/argocd-server	argocd-server
CPU and Memory Requests and CPU and Memory Limits missing	cert-manager	Deployment/simple-deployment	webserver-simple
CPU and Memory Requests and CPU and Memory Limits missing	gatekeeper-system	Deployment/gatekeeper-audit	gatekeeper-audit-container
CPU and Memory Requests and CPU and Memory Limits missing	gatekeeper-system	Deployment/gatekeeper-controller	gatekeeper-controller-container
CPU and Memory Requests and CPU and Memory Limits missing	grafana	Deployment/simple-deployment	webserver-simple
CPU and Memory Requests and CPU and Memory Limits missing	kiali-operator	Deployment/kiali	kiali
CPU and Memory Requests and CPU and Memory Limits missing	kiali-operator	Deployment/kiali-operator	operator
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/ama-logs-rs	ama-logs
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/ama-metrics	prometheus-collector
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/ama-metrics	addon-token-adapter
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/ama-metrics-ksm	ama-metrics-ksm
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/ama-metrics-operator-targets	targetallocator
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/ama-metrics-operator-targets	config-reader
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/azure-policy	azure-policy
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/azure-policy-webhook	azure-policy-webhook
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/azure-wi-webhook-controller-manager	manager
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/coredns	coredns
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/coredns-autoscaler	autoscaler
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/eraser-controller-manager	manager
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/keda-admission-webhooks	keda-admission-webhooks
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/keda-operator	keda-operator
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/keda-operator-metrics-apiserver	keda-operator-metrics-apiserver
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/konnectivity-agent	konnectivity-agent
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/konnectivity-agent-autoscaler	autoscaler
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/metrics-server	metrics-server-vpa
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/metrics-server	metrics-server
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/microsoft-defender-collector-misc	microsoft-defender-pod-collector
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/vpa-admission-controller	admission-controller
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/vpa-recommender	recommender
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	Deployment/vpa-updater	updater
CPU and Memory Requests and CPU and Memory Limits missing	kubeview	Deployment/simple-deployment	webserver-simple
CPU and Memory Requests and CPU and Memory Limits missing	linkerd	Deployment/simple-deployment	webserver-simple
CPU and Memory Requests and CPU and Memory Limits missing	nginx	Deployment/simple-deployment	webserver-simple
CPU and Memory Requests and CPU and Memory Limits missing	pets	Deployment/order-service	order-service
CPU and Memory Requests and CPU and Memory Limits missing	pets	Deployment/order-service	wait-for-rabbitmq
CPU and Memory Requests and CPU and Memory Limits missing	pets	Deployment/product-service	product-service
CPU and Memory Requests and CPU and Memory Limits missing	pets	Deployment/store-front	store-front
CPU and Memory Requests and CPU and Memory Limits missing	prometheus	Deployment/simple-deployment	webserver-simple
CPU and Memory Requests and CPU and Memory Limits missing	sealed-secrets	Deployment/simple-deployment	webserver-simple
CPU and Memory Requests and CPU and Memory Limits missing	test	Deployment/simple-deployment	webserver-simple
CPU and Memory Requests and CPU and Memory Limits missing	argocd	StatefulSet/argocd-application-controller	argocd-application-controller
CPU and Memory Requests and CPU and Memory Limits missing	argocd	StatefulSet/argocd-redis-ha-server	redis
CPU and Memory Requests and CPU and Memory Limits missing	argocd	StatefulSet/argocd-redis-ha-server	sentinel
CPU and Memory Requests and CPU and Memory Limits missing	argocd	StatefulSet/argocd-redis-ha-server	split-brain-fix
CPU and Memory Requests and CPU and Memory Limits missing	argocd	StatefulSet/argocd-redis-ha-server	config-init
CPU and Memory Requests and CPU and Memory Limits missing	pets	StatefulSet/rabbitmq	rabbitmq
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/aks-secrets-store-csi-driver	node-driver-registrar
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/aks-secrets-store-csi-driver	secrets-store
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/aks-secrets-store-csi-driver	liveness-probe
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/aks-secrets-store-csi-driver-windows	node-driver-registrar
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/aks-secrets-store-csi-driver-windows	secrets-store
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/aks-secrets-store-csi-driver-windows	liveness-probe
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/aks-secrets-store-provider-azure	provider-azure-installer
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/aks-secrets-store-provider-azure-windows	provider-azure-installer
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/ama-logs	ama-logs
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/ama-logs	ama-logs-prometheus
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/ama-logs-windows	ama-logs-windows
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/ama-metrics-node	prometheus-collector
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/ama-metrics-node	addon-token-adapter
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/ama-metrics-win-node	prometheus-collector
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/ama-metrics-win-node	addon-token-adapter-win
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/azure-ip-masq-agent	azure-ip-masq-agent
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/azure-npm	azure-npm
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/azure-npm	block-wireserver
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/cloud-node-manager	cloud-node-manager
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/cloud-node-manager-windows	cloud-node-manager
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/kube-proxy	kube-proxy
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/kube-proxy	kube-proxy-bootstrap
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/microsoft-defender-collector-ds	microsoft-defender-pod-collector
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/microsoft-defender-collector-ds	microsoft-defender-low-level-collector
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/microsoft-defender-publisher-ds	microsoft-defender-publisher
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/microsoft-defender-publisher-ds	old-file-cleaner
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/retina-agent	retina
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/retina-agent	retina-agent-init
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/retina-agent-win	retinawin
CPU and Memory Requests and CPU and Memory Limits missing	kube-system	DaemonSet/windows-kube-proxy-initializer	pause

WRK006 - PDB Coverage and Effectiveness iDetects missing or weak PDBs for workloads

⚠️ Total PodDisruptionBudgets with Issues: 25

Show Findings

Recommendations

Set minAvailable to a safe minimum (not 0).
Avoid setting maxUnavailable to 1 or 100%.
Make sure PDBs match actual workloads via label selectors.

Issue	Kind	Name	Namespace
⚠️ maxUnavailable = 100%	PDB	nginx	app-routing-system
❌ No matching PDB	Deployment	simple-deployment	argo-rollouts
❌ No matching PDB	Deployment	simple-deployment	argo-workflows
❌ No matching PDB	Deployment	argocd-applicationset-controller	argocd
❌ No matching PDB	Deployment	argocd-dex-server	argocd
❌ No matching PDB	Deployment	argocd-notifications-controller	argocd
❌ No matching PDB	Deployment	argocd-redis-ha-haproxy	argocd
❌ No matching PDB	Deployment	argocd-repo-server	argocd
❌ No matching PDB	Deployment	argocd-server	argocd
❌ No matching PDB	Deployment	simple-deployment	cert-manager
❌ No matching PDB	Deployment	simple-deployment	grafana
❌ No matching PDB	Deployment	kiali	kiali-operator
❌ No matching PDB	Deployment	kiali-operator	kiali-operator
❌ No matching PDB	Deployment	simple-deployment	kubeview
❌ No matching PDB	Deployment	simple-deployment	linkerd
❌ No matching PDB	Deployment	simple-deployment	nginx
❌ No matching PDB	Deployment	order-service	pets
❌ No matching PDB	Deployment	product-service	pets
❌ No matching PDB	Deployment	store-front	pets
❌ No matching PDB	Deployment	simple-deployment	prometheus
❌ No matching PDB	Deployment	simple-deployment	sealed-secrets
❌ No matching PDB	Deployment	simple-deployment	test
❌ No matching PDB	StatefulSet	argocd-application-controller	argocd
❌ No matching PDB	StatefulSet	argocd-redis-ha-server	argocd
❌ No matching PDB	StatefulSet	rabbitmq	pets

WRK007 - Missing Readiness and Liveness Probes iDetects containers without health probes (readiness/liveness).

⚠️ Total Deployments with Issues: 56

Show Findings

Recommendations

Readiness probes indicate when a container is ready to receive traffic.
Liveness probes detect if a container is stuck or dead.
Use httpGet, tcpSocket, or exec probes for most apps.
Docs: Health probes in Kubernetes

Container	Kind	Missing	Namespace	Workload
istio-proxy	Deployment	readiness, liveness	aks-istio-ingress	aks-istio-ingressgateway-external-asm-1-23
discovery	Deployment	liveness	aks-istio-system	istiod-asm-1-23
webserver-simple	Deployment	readiness, liveness	argo-rollouts	simple-deployment
webserver-simple	Deployment	readiness, liveness	argo-workflows	simple-deployment
argocd-applicationset-controller	Deployment	readiness, liveness	argocd	argocd-applicationset-controller
dex	Deployment	readiness, liveness	argocd	argocd-dex-server
argocd-notifications-controller	Deployment	readiness	argocd	argocd-notifications-controller
webserver-simple	Deployment	readiness, liveness	cert-manager	simple-deployment
webserver-simple	Deployment	readiness, liveness	grafana	simple-deployment
ama-logs	Deployment	readiness	kube-system	ama-logs-rs
prometheus-collector	Deployment	readiness	kube-system	ama-metrics
addon-token-adapter	Deployment	readiness	kube-system	ama-metrics
targetallocator	Deployment	readiness	kube-system	ama-metrics-operator-targets
config-reader	Deployment	readiness	kube-system	ama-metrics-operator-targets
autoscaler	Deployment	readiness	kube-system	coredns-autoscaler
autoscaler	Deployment	readiness	kube-system	konnectivity-agent-autoscaler
metrics-server-vpa	Deployment	readiness, liveness	kube-system	metrics-server
microsoft-defender-pod-collector	Deployment	readiness, liveness	kube-system	microsoft-defender-collector-misc
admission-controller	Deployment	readiness, liveness	kube-system	vpa-admission-controller
recommender	Deployment	readiness, liveness	kube-system	vpa-recommender
updater	Deployment	readiness, liveness	kube-system	vpa-updater
webserver-simple	Deployment	readiness, liveness	kubeview	simple-deployment
webserver-simple	Deployment	readiness, liveness	linkerd	simple-deployment
webserver-simple	Deployment	readiness, liveness	nginx	simple-deployment
webserver-simple	Deployment	readiness, liveness	prometheus	simple-deployment
webserver-simple	Deployment	readiness, liveness	sealed-secrets	simple-deployment
webserver-simple	Deployment	readiness, liveness	test	simple-deployment
argocd-application-controller	StatefulSet	liveness	argocd	argocd-application-controller
split-brain-fix	StatefulSet	readiness, liveness	argocd	argocd-redis-ha-server
rabbitmq	StatefulSet	readiness, liveness	pets	rabbitmq
node-driver-registrar	DaemonSet	readiness	kube-system	aks-secrets-store-csi-driver
secrets-store	DaemonSet	readiness	kube-system	aks-secrets-store-csi-driver
liveness-probe	DaemonSet	readiness, liveness	kube-system	aks-secrets-store-csi-driver
node-driver-registrar	DaemonSet	readiness	kube-system	aks-secrets-store-csi-driver-windows
secrets-store	DaemonSet	readiness	kube-system	aks-secrets-store-csi-driver-windows
liveness-probe	DaemonSet	readiness, liveness	kube-system	aks-secrets-store-csi-driver-windows
provider-azure-installer	DaemonSet	readiness	kube-system	aks-secrets-store-provider-azure
provider-azure-installer	DaemonSet	readiness	kube-system	aks-secrets-store-provider-azure-windows
ama-logs	DaemonSet	readiness	kube-system	ama-logs
ama-logs-prometheus	DaemonSet	readiness	kube-system	ama-logs
ama-logs-windows	DaemonSet	readiness	kube-system	ama-logs-windows
prometheus-collector	DaemonSet	readiness	kube-system	ama-metrics-node
addon-token-adapter	DaemonSet	readiness	kube-system	ama-metrics-node
prometheus-collector	DaemonSet	readiness	kube-system	ama-metrics-win-node
addon-token-adapter-win	DaemonSet	readiness	kube-system	ama-metrics-win-node
azure-ip-masq-agent	DaemonSet	readiness, liveness	kube-system	azure-ip-masq-agent
azure-npm	DaemonSet	readiness, liveness	kube-system	azure-npm
cloud-node-manager	DaemonSet	readiness, liveness	kube-system	cloud-node-manager
cloud-node-manager	DaemonSet	readiness, liveness	kube-system	cloud-node-manager-windows
kube-proxy	DaemonSet	readiness, liveness	kube-system	kube-proxy
microsoft-defender-pod-collector	DaemonSet	readiness, liveness	kube-system	microsoft-defender-collector-ds
microsoft-defender-low-level-collector	DaemonSet	readiness, liveness	kube-system	microsoft-defender-collector-ds
microsoft-defender-publisher	DaemonSet	readiness, liveness	kube-system	microsoft-defender-publisher-ds
retina	DaemonSet	liveness	kube-system	retina-agent
retinawin	DaemonSet	readiness, liveness	kube-system	retina-agent-win
pause	DaemonSet	readiness, liveness	kube-system	windows-kube-proxy-initializer

WRK008 - Deployment Selector Without Matching Pods iDetects Deployments whose spec.selector does not match any existing Pods. This results in 0 replicas running.

✅ All Deployments are healthy.

Pods

POD001 - Pods with High Restarts iDetects pods that have restarted more than the defined threshold.

✅ All Pods are healthy.

POD002 - Long Running Pods iFlags pods that have been running longer than configured thresholds.

✅ All Pods are healthy.

POD003 - Failed Pods iDetects pods in a failed phase, typically due to startup errors, crashes, or misconfiguration.

✅ All Pods are healthy.

POD004 - Pending Pods iDetects pods stuck in a 'Pending' state due to scheduling or resource issues.

✅ All Pods are healthy.

POD005 - CrashLoopBackOff Pods iIdentifies pods stuck in a CrashLoopBackOff state due to repeated container crashes.

✅ All Pods are healthy.

POD006 - Leftover Debug Pods iDetects pods created by 'kubectl debug' that haven't been cleaned up.

✅ All Pods are healthy.

POD007 - Container images do not use latest tag iFlags containers using the 'latest' tag in their image, which can cause unpredictable upgrades.

⚠️ Total Pods with Issues: 3

Show Findings

Recommendations

🛠️ Use Specific Image Tags

Don't use the :latest tag in container images.
Why: It can pull different images on each deploy, leading to drift.
Fix: Tag images explicitly (e.g., :v1.2.3) and update the pod spec.
Docs: Kubernetes Image Tagging

Message	Namespace	Resource	Value
Container image uses the 'latest' tag, which can lead to unpredictable deployments.	pets	pod/order-service-6c5bfb6946-b58xq	ghcr.io/azure-samples/aks-store-demo/order-service:latest, mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless
Container image uses the 'latest' tag, which can lead to unpredictable deployments.	pets	pod/product-service-5dd87dfb8-ssfxc	ghcr.io/azure-samples/aks-store-demo/product-service:latest, mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless
Container image uses the 'latest' tag, which can lead to unpredictable deployments.	pets	pod/store-front-658994fd95-pk9qn	ghcr.io/azure-samples/aks-store-demo/store-front:latest, mcr.microsoft.com/oss/istio/proxyv2:1.23.5-distroless

Jobs

JOB001 - Stuck Kubernetes Jobs iFinds Jobs that have started but not completed within a threshold.

✅ All Jobs are healthy.

JOB002 - Failed Kubernetes Jobs iDetects jobs with failures and no successful completions.

✅ All Jobs are healthy.

Networking

NET001 - Services Without Endpoints iIdentifies services that have no backing endpoints, which means no pods are matched.

⚠️ Total Services with Issues: 1

Show Findings

Recommendations

🔍 Services Without Endpoints

Verify that your service has a valid selector.
Check if pods exist and are ready in the same namespace.
Use kubectl describe svc and kubectl get endpoints .
Restart affected pods or fix labels as needed.

Message	Namespace	Resource	Value
No endpoints available	kube-system	service/network-observability	network-observability

NET002 - Publicly Accessible Services iDetects services of type LoadBalancer or NodePort that are potentially exposed to the internet.

⚠️ Total Services with Issues: 4

Show Findings

Recommendations

🌐 Secure Exposed Services

Use internal IP ranges or private LoadBalancers where possible.
Restrict NodePort usage or protect with firewall rules.
Disable external exposure for internal-only services.
Consider network policies or service mesh for access control.

Message	Namespace	Resource	Value
Exposed via external IP: 131.145.32.126	aks-istio-ingress	service/aks-istio-ingressgateway-external	LoadBalancer
Exposed via external IP: 4.250.59.60	app-routing-system	service/nginx	LoadBalancer
Exposed via external IP: 85.210.102.171	pets	service/store-front	LoadBalancer
Exposed via NodePort	test	service/simple-service	NodePort

NET003 - Ingress Health Validation iValidates ingress definitions for missing classes, invalid backends, missing TLS secrets, duplicate host/path entries, and incorrect path types.

✅ All Ingresses are healthy.

NET004 - Namespace Missing Network Policy iDetects namespaces that have running pods but no associated NetworkPolicy resources. This could allow unrestricted pod-to-pod communication.

⚠️ Total Namespaces with Issues: 16

Show Findings

Recommendations

Apply a default deny-all NetworkPolicy for ingress and egress.
Use additional policies to allow traffic between required pods/services.

Issue	Namespace	Pods
No NetworkPolicy in active namespace	aks-istio-ingress	2
No NetworkPolicy in active namespace	aks-istio-system	2
No NetworkPolicy in active namespace	app-routing-system	2
No NetworkPolicy in active namespace	argo-rollouts	1
No NetworkPolicy in active namespace	argo-workflows	1
No NetworkPolicy in active namespace	cert-manager	1
No NetworkPolicy in active namespace	gatekeeper-system	3
No NetworkPolicy in active namespace	grafana	1
No NetworkPolicy in active namespace	kiali-operator	2
No NetworkPolicy in active namespace	kubeview	1
No NetworkPolicy in active namespace	linkerd	1
No NetworkPolicy in active namespace	nginx	1
No NetworkPolicy in active namespace	pets	4
No NetworkPolicy in active namespace	prometheus	1
No NetworkPolicy in active namespace	sealed-secrets	1
No NetworkPolicy in active namespace	test	1

Storage

PVC001 - Unused Persistent Volume Claims iDetects PVCs not attached to any pod.

✅ All PersistentVolumeClaims are healthy.

Configuration Hygiene

CFG001 - Orphaned ConfigMaps iDetects ConfigMaps that are not referenced by any pod, workload, service, or ingress.

⚠️ Total ConfigMaps with Issues: 19

Show Findings

Recommendations

🛠️ Clean Up Orphaned ConfigMaps

Verify: Check usage (kubectl describe cm ).
Delete: kubectl delete cm if unused.
Automation: Schedule periodic scans.

Message	Namespace	Resource
ConfigMap is not used by any workloads or services.	aks-istio-system	configmap/istio-asm-1-23
ConfigMap is not used by any workloads or services.	aks-istio-system	configmap/istio-gateway-status-leader
ConfigMap is not used by any workloads or services.	aks-istio-system	configmap/istio-leader
ConfigMap is not used by any workloads or services.	aks-istio-system	configmap/istio-namespace-controller-election
ConfigMap is not used by any workloads or services.	aks-istio-system	configmap/istio-sidecar-injector-asm-1-23
ConfigMap is not used by any workloads or services.	app-routing-system	configmap/nginx
ConfigMap is not used by any workloads or services.	argocd	configmap/argocd-notifications-cm
ConfigMap is not used by any workloads or services.	argocd	configmap/argocd-rbac-cm
ConfigMap is not used by any workloads or services.	kube-system	configmap/azure-ip-masq-agent-config-reconciled
ConfigMap is not used by any workloads or services.	kube-system	configmap/cluster-autoscaler-status
ConfigMap is not used by any workloads or services.	kube-system	configmap/container-azm-ms-aks-k8scluster
ConfigMap is not used by any workloads or services.	kube-system	configmap/coredns-autoscaler
ConfigMap is not used by any workloads or services.	kube-system	configmap/eraser-system-exclusion
ConfigMap is not used by any workloads or services.	kube-system	configmap/extension-apiserver-authentication
ConfigMap is not used by any workloads or services.	kube-system	configmap/extension-immutable-values
ConfigMap is not used by any workloads or services.	kube-system	configmap/konnectivity-agent-autoscaler
ConfigMap is not used by any workloads or services.	kube-system	configmap/kube-apiserver-legacy-service-account-token-tracking
ConfigMap is not used by any workloads or services.	kube-system	configmap/overlay-upgrade-data
ConfigMap is not used by any workloads or services.	kube-system	configmap/retina-config-win

CFG002 - Duplicate ConfigMap Names iDetects ConfigMaps with identical names across different namespaces.

⚠️ Total ConfigMaps with Issues: 2

Show Findings

Recommendations

🛠️ Fix Duplicate ConfigMap Names

Standardize: Use unique names or a naming convention that includes the environment or team name.
Audit: Periodically review ConfigMaps across namespaces for duplication.
Automation: Use policies or linting tools to catch duplicates pre-deploy.

Message	Resource
Found in namespaces: 1, 10, 2, 3, 4, 5, 6, 7, 8, 9, aks-istio-egress, aks-istio-ingress, aks-istio-system, app-routing-system, argo-rollouts, argo-workflows, argocd, cert-manager, default, gatekeeper-system, grafana, kiali-operator, kube-system, kubeview, linkerd, nginx, pets, prometheus, sealed-secrets, test	istio-ca-root-cert
Found in namespaces: 1, 10, 2, 3, 4, 5, 6, 7, 8, 9, aks-istio-egress, aks-istio-ingress, aks-istio-system, app-routing-system, argo-rollouts, argo-workflows, argocd, cert-manager, default, gatekeeper-system, grafana, kiali-operator, kube-node-lease, kube-public, kube-system, kubeview, linkerd, nginx, pets, prometheus, sealed-secrets, test	kube-root-ca.crt

CFG003 - Large ConfigMaps iFinds ConfigMaps larger than 1 MiB, which may impact performance or exceed platform limits.

✅ All ConfigMaps are healthy.

Security

RBAC001 - RBAC Misconfigurations iDetects invalid roleRefs, missing roles, orphaned service accounts, and incorrect subject namespaces in RoleBindings and ClusterRoleBindings.

⚠️ Total ClusterRoleBindings with Issues: 10

Show Findings

Recommendations

🔐 RBAC Misconfiguration Fixes

Don't leave roleRef blank in bindings.
Use valid Roles/ClusterRoles that exist in the correct namespace.
Verify ServiceAccounts exist in the namespace specified.
Remove or correct subjects pointing to non-existent namespaces.

Message	Namespace	Resource	Value
ServiceAccount not found	kube-system	RoleBinding/system::leader-locking-kube-controller-manager	ServiceAccount/kube-controller-manager
ServiceAccount not found	kube-system	RoleBinding/system::leader-locking-kube-scheduler	ServiceAccount/kube-scheduler
ServiceAccount not found	kube-system	RoleBinding/system:controller:cloud-provider	ServiceAccount/cloud-provider
ServiceAccount not found	aks-istio-system	ClusterRoleBinding/istio-reader-clusterrole-asm-1-23-aks-istio-system	ServiceAccount/istio-reader-service-account
ServiceAccount not found	kube-system	ClusterRoleBinding/secretproviderrotation-rolebinding	ServiceAccount/secrets-store-csi-driver
ServiceAccount not found	kube-system	ClusterRoleBinding/system:azure-cloud-provider	ServiceAccount/azure-cloud-provider
ServiceAccount not found	kube-system	ClusterRoleBinding/system:azure-cloud-provider-secret-getter	ServiceAccount/azure-cloud-provider
ServiceAccount not found	kube-system	ClusterRoleBinding/system:controller:route-controller	ServiceAccount/route-controller
ServiceAccount not found	kube-system	ClusterRoleBinding/system:controller:service-controller	ServiceAccount/service-controller
ServiceAccount not found	kube-system	ClusterRoleBinding/system:kube-dns	ServiceAccount/kube-dns

RBAC002 - RBAC Overexposure iIdentifies dangerous RBAC grants such as cluster-admin, wildcard permissions, and sensitive resource access in roles and bindings.

⚠️ Total ClusterRoleBindings with Issues: 21

Show Findings

Recommendations

🔐 RBAC Hardening Tips

Avoid using cluster-admin directly in bindings.
Don’t assign Roles or ClusterRoles with wildcard verbs/resources/apiGroups.
Restrict access to sensitive resources like secrets or pods/exec.
Minimize privileges for default ServiceAccounts.
Document use of any built-in roles used in production.

Message	Namespace	Resource	Value
cluster-admin binding (built-in)	🌍 Cluster-Wide	ClusterRoleBinding/aks-cluster-admin-binding	User/clusterAdmin
cluster-admin binding (built-in)	🌍 Cluster-Wide	ClusterRoleBinding/aks-cluster-admin-binding	User/clusterUser
cluster-admin binding (built-in)	🌍 Cluster-Wide	ClusterRoleBinding/aks-cluster-admin-binding-aad	Group/e591c663-c79c-47a4-94b8-f646b8647046
Access to sensitive resources	🌍 Cluster-Wide	ClusterRoleBinding/aks-secretprovidersyncing-rolebinding	ServiceAccount/aks-secrets-store-csi-driver
Access to sensitive resources	🌍 Cluster-Wide	ClusterRoleBinding/aks-service-rolebinding	User/aks-support
Wildcard permission role	🌍 Cluster-Wide	ClusterRoleBinding/argocd-application-controller	ServiceAccount/argocd-application-controller
cluster-admin binding (built-in)	🌍 Cluster-Wide	ClusterRoleBinding/cluster-admin	Group/system:masters
cluster-admin binding (built-in)	🌍 Cluster-Wide	ClusterRoleBinding/extension-operator	ServiceAccount/extension-operatorsa
Access to sensitive resources	🌍 Cluster-Wide	ClusterRoleBinding/kiali-operator	ServiceAccount/kiali-operator
Access to sensitive resources (built-in)	🌍 Cluster-Wide	ClusterRoleBinding/system:controller:clusterrole-aggregation-controller	ServiceAccount/clusterrole-aggregation-controller
Access to sensitive resources (built-in)	🌍 Cluster-Wide	ClusterRoleBinding/system:controller:legacy-service-account-token-cleaner	ServiceAccount/legacy-service-account-token-cleaner
Access to sensitive resources (built-in)	🌍 Cluster-Wide	ClusterRoleBinding/system:kube-controller-manager	User/system:kube-controller-manager
Access to sensitive resources (built-in)	🌍 Cluster-Wide	ClusterRoleBinding/system:kube-scheduler	User/system:kube-scheduler
Access to sensitive resources (built-in)	🌍 Cluster-Wide	ClusterRoleBinding/system:persistent-volume-binding	ServiceAccount/persistent-volume-binder
Access to sensitive resources	aks-istio-system	RoleBinding/istiod-asm-1-23	ServiceAccount/istiod-asm-1-23
Access to sensitive resources	argocd	RoleBinding/argocd-redis-ha-haproxy	ServiceAccount/argocd-redis-ha-haproxy
Access to sensitive resources	argocd	RoleBinding/argocd-server	ServiceAccount/argocd-server
Access to sensitive resources	gatekeeper-system	RoleBinding/gatekeeper-manager-rolebinding	ServiceAccount/gatekeeper-admin
Access to sensitive resources	kube-system	RoleBinding/azure-policy-webhook-rolebinding	ServiceAccount/azure-policy-webhook-account
Access to sensitive resources	kube-system	RoleBinding/keda-operator-certs	ServiceAccount/keda-operator
Access to sensitive resources	kube-system	RoleBinding/system:controller:token-cleaner	ServiceAccount/token-cleaner

RBAC003 - Orphaned ServiceAccounts iFinds ServiceAccounts not used by any pods or referenced in RoleBindings or ClusterRoleBindings.

⚠️ Total ServiceAccounts with Issues: 20

Show Findings

Recommendations

🧾 Remove Orphaned ServiceAccounts

Audit ServiceAccounts not referenced in RoleBindings, ClusterRoleBindings, or used by Pods.
Delete those not actively used to reduce attack surface.
Consider automating SA cleanup with CI/CD or policy enforcement.

Message	Namespace	Resource	Value
ServiceAccount not used by pods or RBAC bindings	1	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	10	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	2	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	3	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	4	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	5	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	6	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	7	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	8	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	9	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	aks-istio-egress	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	aks-istio-ingress	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	aks-istio-system	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	app-routing-system	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	argocd	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	default	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	gatekeeper-system	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	kiali-operator	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	kube-node-lease	serviceaccount/default	default
ServiceAccount not used by pods or RBAC bindings	kube-public	serviceaccount/default	default

RBAC004 - Orphaned and Ineffective Roles iFlags Roles and ClusterRoles that are unused, lack subjects, or define no rules.

⚠️ Total Roles/ClusterRoles with Issues: 4

Show Findings

Recommendations

🗂️ Clean up Unused or Ineffective RBAC

Remove RoleBindings or ClusterRoleBindings without subjects.
Prune Roles and ClusterRoles not referenced by any bindings.
Remove roles with no defined rules unless planned for future use.

Message	Namespace	Resource	Value
ClusterRoleBinding has no subjects	cluster-wide	clusterrolebinding/system:node	system:node
Unused ClusterRole	cluster-wide	clusterrole/aks-secretproviderclasses-admin-role	aks-secretproviderclasses-admin-role
Unused ClusterRole	cluster-wide	clusterrole/aks-secretproviderclasses-viewer-role	aks-secretproviderclasses-viewer-role
ClusterRole has no rules	cluster-wide	clusterrole/eraser-imagejob-pods-cluster-role	eraser-imagejob-pods-cluster-role

SEC001 - Orphaned Secrets iDetects Secrets not used by any workloads, ingresses, service accounts, or known custom resources.

⚠️ Total Secrets with Issues: 10

Show Findings

Recommendations

🔐 Orphaned Secrets Cleanup

Remove Secrets not referenced in Pods, Deployments, StatefulSets, or Ingresses.
Audit Secret content before deletion to avoid removing active credentials.
Validate Custom Resources don’t indirectly depend on these Secrets.
Regularly prune Secrets as part of security hygiene.

Message	Namespace	Resource	Value
Secret appears unused across workloads, ingresses, service accounts, or CRs	aks-istio-system	secret/istio-ca-secret	istio-ca-secret
Secret appears unused across workloads, ingresses, service accounts, or CRs	argocd	secret/argocd-initial-admin-secret	argocd-initial-admin-secret
Secret appears unused across workloads, ingresses, service accounts, or CRs	argocd	secret/argocd-notifications-secret	argocd-notifications-secret
Secret appears unused across workloads, ingresses, service accounts, or CRs	argocd	secret/argocd-secret	argocd-secret
Secret appears unused across workloads, ingresses, service accounts, or CRs	argocd	secret/repo-1114886772	repo-1114886772
Secret appears unused across workloads, ingresses, service accounts, or CRs	argocd	secret/repo-1952242182	repo-1952242182
Secret appears unused across workloads, ingresses, service accounts, or CRs	kube-system	secret/aad-msi-auth-token	aad-msi-auth-token
Secret appears unused across workloads, ingresses, service accounts, or CRs	kube-system	secret/azure-policy-webhook-cert	azure-policy-webhook-cert
Secret appears unused across workloads, ingresses, service accounts, or CRs	kube-system	secret/extensions-aad-msi-token	extensions-aad-msi-token
Secret appears unused across workloads, ingresses, service accounts, or CRs	kube-system	secret/omsagent-aad-msi-token	omsagent-aad-msi-token

SEC002 - Pods using hostPID or hostNetwork iFlags pods that share the host's PID or network namespace, which can compromise isolation and node security.

⚠️ Total Pods with Issues: 36

Show Findings

Recommendations

⚠️ Avoid Host-Level Sharing

Set hostPID: false and hostNetwork: false unless needed for special workloads.
Review security implications of namespace sharing with the host.
Restrict use of these settings to trusted namespaces and workloads.
Consider using PSPs or OPA/Gatekeeper policies to prevent usage cluster-wide.

Message	Namespace	Resource	Value
Pod uses hostNetwork	kube-system	pod/aks-secrets-store-provider-azure-68nhw	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/aks-secrets-store-provider-azure-7bqmn	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/aks-secrets-store-provider-azure-7r458	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/aks-secrets-store-provider-azure-k9tdc	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/aks-secrets-store-provider-azure-n952g	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/aks-secrets-store-provider-azure-njpqh	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/azure-ip-masq-agent-4522j	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/azure-ip-masq-agent-4c7cr	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/azure-ip-masq-agent-78rnw	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/azure-ip-masq-agent-84ltn	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/azure-ip-masq-agent-t4c2w	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/azure-ip-masq-agent-vbdd8	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/azure-npm-jsbbh	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/azure-npm-lp6sf	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/azure-npm-nv6xx	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/azure-npm-p6fpw	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/azure-npm-vsrfp	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/azure-npm-z8mcz	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/cloud-node-manager-57rk2	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/cloud-node-manager-gl5xl	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/cloud-node-manager-l7v5j	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/cloud-node-manager-lr49d	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/cloud-node-manager-n5qdr	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/cloud-node-manager-xwrrd	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/kube-proxy-26xkd	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/kube-proxy-6mrql	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/kube-proxy-9rbxf	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/kube-proxy-njzgk	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/kube-proxy-rvmxl	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/kube-proxy-vp7xj	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/retina-agent-9g44d	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/retina-agent-d6wf4	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/retina-agent-gj4r5	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/retina-agent-rndzh	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/retina-agent-szggl	hostPID=False, hostNetwork=True
Pod uses hostNetwork	kube-system	pod/retina-agent-t68m8	hostPID=False, hostNetwork=True

SEC003 - Pods Running as Root iDetects pods running with UID 0 or no explicit runAsUser setting (defaults to root).

⚠️ Total Pods with Issues: 372

Show Findings

Recommendations

🔐 RunAsUser Hardening

Set runAsUser: non-zero UID at pod or container level.
Avoid relying on container defaults — define securityContext explicitly.
Use Pod Security Policies (PSPs) or Gatekeeper policies to enforce non-root UID usage.
Validate any custom base images that may default to root.

Message	Namespace	Resource	Value
Container runs as root or has no runAsUser set	aks-istio-ingress	pod/aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	aks-istio-ingress	pod/aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	aks-istio-ingress	pod/aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	aks-istio-ingress	pod/aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb	Not Set (Defaults to root)
Container discovery runs as root or has no runAsUser set	aks-istio-system	pod/istiod-asm-1-23-7744d5fbf4-9572m	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	aks-istio-system	pod/istiod-asm-1-23-7744d5fbf4-9572m	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	aks-istio-system	pod/istiod-asm-1-23-7744d5fbf4-9572m	Not Set (Defaults to root)
Container discovery runs as root or has no runAsUser set	aks-istio-system	pod/istiod-asm-1-23-7744d5fbf4-rqzvt	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	aks-istio-system	pod/istiod-asm-1-23-7744d5fbf4-rqzvt	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	aks-istio-system	pod/istiod-asm-1-23-7744d5fbf4-rqzvt	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	app-routing-system	pod/nginx-69fcb489fd-4wgk9	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	app-routing-system	pod/nginx-69fcb489fd-4wgk9	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	app-routing-system	pod/nginx-69fcb489fd-64v6k	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	app-routing-system	pod/nginx-69fcb489fd-64v6k	Not Set (Defaults to root)
Container webserver-simple runs as root or has no runAsUser set	argo-rollouts	pod/simple-deployment-74fd649f8d-996vt	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	argo-rollouts	pod/simple-deployment-74fd649f8d-996vt	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	argo-rollouts	pod/simple-deployment-74fd649f8d-996vt	Not Set (Defaults to root)
Container webserver-simple runs as root or has no runAsUser set	argo-workflows	pod/simple-deployment-74fd649f8d-24t56	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	argo-workflows	pod/simple-deployment-74fd649f8d-24t56	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	argo-workflows	pod/simple-deployment-74fd649f8d-24t56	Not Set (Defaults to root)
Container argocd-application-controller runs as root or has no runAsUser set	argocd	pod/argocd-application-controller-0	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	argocd	pod/argocd-application-controller-0	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	argocd	pod/argocd-application-controller-0	Not Set (Defaults to root)
Container argocd-applicationset-controller runs as root or has no runAsUser set	argocd	pod/argocd-applicationset-controller-6fdf84dbb6-msffz	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	argocd	pod/argocd-applicationset-controller-6fdf84dbb6-msffz	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	argocd	pod/argocd-applicationset-controller-6fdf84dbb6-msffz	Not Set (Defaults to root)
Container dex runs as root or has no runAsUser set	argocd	pod/argocd-dex-server-556c76889-h4kxj	Not Set (Defaults to root)
Container copyutil runs as root or has no runAsUser set	argocd	pod/argocd-dex-server-556c76889-h4kxj	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	argocd	pod/argocd-dex-server-556c76889-h4kxj	Not Set (Defaults to root)
Container argocd-notifications-controller runs as root or has no runAsUser set	argocd	pod/argocd-notifications-controller-6ff6bf8dd6-nbktr	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	argocd	pod/argocd-notifications-controller-6ff6bf8dd6-nbktr	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	argocd	pod/argocd-notifications-controller-6ff6bf8dd6-nbktr	Not Set (Defaults to root)
Container argocd-repo-server runs as root or has no runAsUser set	argocd	pod/argocd-repo-server-8568fc89b5-sx6ks	Not Set (Defaults to root)
Container copyutil runs as root or has no runAsUser set	argocd	pod/argocd-repo-server-8568fc89b5-sx6ks	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	argocd	pod/argocd-repo-server-8568fc89b5-sx6ks	Not Set (Defaults to root)
Container argocd-repo-server runs as root or has no runAsUser set	argocd	pod/argocd-repo-server-8568fc89b5-xrzzn	Not Set (Defaults to root)
Container copyutil runs as root or has no runAsUser set	argocd	pod/argocd-repo-server-8568fc89b5-xrzzn	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	argocd	pod/argocd-repo-server-8568fc89b5-xrzzn	Not Set (Defaults to root)
Container argocd-server runs as root or has no runAsUser set	argocd	pod/argocd-server-c5b86c885-2zqmx	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	argocd	pod/argocd-server-c5b86c885-2zqmx	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	argocd	pod/argocd-server-c5b86c885-2zqmx	Not Set (Defaults to root)
Container argocd-server runs as root or has no runAsUser set	argocd	pod/argocd-server-c5b86c885-zlzd5	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	argocd	pod/argocd-server-c5b86c885-zlzd5	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	argocd	pod/argocd-server-c5b86c885-zlzd5	Not Set (Defaults to root)
Container webserver-simple runs as root or has no runAsUser set	cert-manager	pod/simple-deployment-74fd649f8d-7cht8	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	cert-manager	pod/simple-deployment-74fd649f8d-7cht8	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	cert-manager	pod/simple-deployment-74fd649f8d-7cht8	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	gatekeeper-system	pod/gatekeeper-audit-77858c8f69-7k782	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	gatekeeper-system	pod/gatekeeper-audit-77858c8f69-7k782	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	gatekeeper-system	pod/gatekeeper-controller-6f97954b4b-7tbnr	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	gatekeeper-system	pod/gatekeeper-controller-6f97954b4b-7tbnr	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	gatekeeper-system	pod/gatekeeper-controller-6f97954b4b-gwrgg	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	gatekeeper-system	pod/gatekeeper-controller-6f97954b4b-gwrgg	Not Set (Defaults to root)
Container webserver-simple runs as root or has no runAsUser set	grafana	pod/simple-deployment-74fd649f8d-l7wrd	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	grafana	pod/simple-deployment-74fd649f8d-l7wrd	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	grafana	pod/simple-deployment-74fd649f8d-l7wrd	Not Set (Defaults to root)
Container kiali runs as root or has no runAsUser set	kiali-operator	pod/kiali-5b88cfb6f8-cm8dz	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kiali-operator	pod/kiali-5b88cfb6f8-cm8dz	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kiali-operator	pod/kiali-5b88cfb6f8-cm8dz	Not Set (Defaults to root)
Container operator runs as root or has no runAsUser set	kiali-operator	pod/kiali-operator-696bd54db-mr8md	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kiali-operator	pod/kiali-operator-696bd54db-mr8md	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kiali-operator	pod/kiali-operator-696bd54db-mr8md	Not Set (Defaults to root)
Container node-driver-registrar runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-2l2wl	Not Set (Defaults to root)
Container secrets-store runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-2l2wl	Not Set (Defaults to root)
Container liveness-probe runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-2l2wl	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-2l2wl	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-2l2wl	Not Set (Defaults to root)
Container node-driver-registrar runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-6w2vp	Not Set (Defaults to root)
Container secrets-store runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-6w2vp	Not Set (Defaults to root)
Container liveness-probe runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-6w2vp	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-6w2vp	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-6w2vp	Not Set (Defaults to root)
Container node-driver-registrar runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-7879c	Not Set (Defaults to root)
Container secrets-store runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-7879c	Not Set (Defaults to root)
Container liveness-probe runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-7879c	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-7879c	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-7879c	Not Set (Defaults to root)
Container node-driver-registrar runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-m8m29	Not Set (Defaults to root)
Container secrets-store runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-m8m29	Not Set (Defaults to root)
Container liveness-probe runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-m8m29	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-m8m29	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-m8m29	Not Set (Defaults to root)
Container node-driver-registrar runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-vnmcd	Not Set (Defaults to root)
Container secrets-store runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-vnmcd	Not Set (Defaults to root)
Container liveness-probe runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-vnmcd	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-vnmcd	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-vnmcd	Not Set (Defaults to root)
Container node-driver-registrar runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-zrfbz	Not Set (Defaults to root)
Container secrets-store runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-zrfbz	Not Set (Defaults to root)
Container liveness-probe runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-zrfbz	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-zrfbz	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-csi-driver-zrfbz	Not Set (Defaults to root)
Container provider-azure-installer runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-provider-azure-68nhw	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-provider-azure-68nhw	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-provider-azure-68nhw	Not Set (Defaults to root)
Container provider-azure-installer runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-provider-azure-7bqmn	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-provider-azure-7bqmn	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-provider-azure-7bqmn	Not Set (Defaults to root)
Container provider-azure-installer runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-provider-azure-7r458	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-provider-azure-7r458	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-provider-azure-7r458	Not Set (Defaults to root)
Container provider-azure-installer runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-provider-azure-k9tdc	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-provider-azure-k9tdc	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-provider-azure-k9tdc	Not Set (Defaults to root)
Container provider-azure-installer runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-provider-azure-n952g	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-provider-azure-n952g	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-provider-azure-n952g	Not Set (Defaults to root)
Container provider-azure-installer runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-provider-azure-njpqh	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-provider-azure-njpqh	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/aks-secrets-store-provider-azure-njpqh	Not Set (Defaults to root)
Container ama-logs runs as root or has no runAsUser set	kube-system	pod/ama-logs-4v8mz	Not Set (Defaults to root)
Container ama-logs-prometheus runs as root or has no runAsUser set	kube-system	pod/ama-logs-4v8mz	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-logs-4v8mz	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-logs-4v8mz	Not Set (Defaults to root)
Container ama-logs runs as root or has no runAsUser set	kube-system	pod/ama-logs-5vr2w	Not Set (Defaults to root)
Container ama-logs-prometheus runs as root or has no runAsUser set	kube-system	pod/ama-logs-5vr2w	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-logs-5vr2w	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-logs-5vr2w	Not Set (Defaults to root)
Container ama-logs runs as root or has no runAsUser set	kube-system	pod/ama-logs-fmd7b	Not Set (Defaults to root)
Container ama-logs-prometheus runs as root or has no runAsUser set	kube-system	pod/ama-logs-fmd7b	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-logs-fmd7b	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-logs-fmd7b	Not Set (Defaults to root)
Container ama-logs runs as root or has no runAsUser set	kube-system	pod/ama-logs-fpkw6	Not Set (Defaults to root)
Container ama-logs-prometheus runs as root or has no runAsUser set	kube-system	pod/ama-logs-fpkw6	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-logs-fpkw6	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-logs-fpkw6	Not Set (Defaults to root)
Container ama-logs runs as root or has no runAsUser set	kube-system	pod/ama-logs-gqs28	Not Set (Defaults to root)
Container ama-logs-prometheus runs as root or has no runAsUser set	kube-system	pod/ama-logs-gqs28	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-logs-gqs28	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-logs-gqs28	Not Set (Defaults to root)
Container ama-logs runs as root or has no runAsUser set	kube-system	pod/ama-logs-ndxrw	Not Set (Defaults to root)
Container ama-logs-prometheus runs as root or has no runAsUser set	kube-system	pod/ama-logs-ndxrw	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-logs-ndxrw	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-logs-ndxrw	Not Set (Defaults to root)
Container ama-logs runs as root or has no runAsUser set	kube-system	pod/ama-logs-rs-64765bd4b9-ldxwl	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-logs-rs-64765bd4b9-ldxwl	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-logs-rs-64765bd4b9-ldxwl	Not Set (Defaults to root)
Container prometheus-collector runs as root or has no runAsUser set	kube-system	pod/ama-metrics-7f878d975f-hlggb	Not Set (Defaults to root)
Container addon-token-adapter runs as root or has no runAsUser set	kube-system	pod/ama-metrics-7f878d975f-hlggb	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-metrics-7f878d975f-hlggb	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-metrics-7f878d975f-hlggb	Not Set (Defaults to root)
Container prometheus-collector runs as root or has no runAsUser set	kube-system	pod/ama-metrics-7f878d975f-q2mlg	Not Set (Defaults to root)
Container addon-token-adapter runs as root or has no runAsUser set	kube-system	pod/ama-metrics-7f878d975f-q2mlg	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-metrics-7f878d975f-q2mlg	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-metrics-7f878d975f-q2mlg	Not Set (Defaults to root)
Container prometheus-collector runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-2ssrw	Not Set (Defaults to root)
Container addon-token-adapter runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-2ssrw	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-2ssrw	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-2ssrw	Not Set (Defaults to root)
Container prometheus-collector runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-6kkz8	Not Set (Defaults to root)
Container addon-token-adapter runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-6kkz8	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-6kkz8	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-6kkz8	Not Set (Defaults to root)
Container prometheus-collector runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-9h44h	Not Set (Defaults to root)
Container addon-token-adapter runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-9h44h	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-9h44h	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-9h44h	Not Set (Defaults to root)
Container prometheus-collector runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-lhk42	Not Set (Defaults to root)
Container addon-token-adapter runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-lhk42	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-lhk42	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-lhk42	Not Set (Defaults to root)
Container prometheus-collector runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-nm5bf	Not Set (Defaults to root)
Container addon-token-adapter runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-nm5bf	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-nm5bf	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-nm5bf	Not Set (Defaults to root)
Container prometheus-collector runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-pqcz5	Not Set (Defaults to root)
Container addon-token-adapter runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-pqcz5	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-pqcz5	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-metrics-node-pqcz5	Not Set (Defaults to root)
Container targetallocator runs as root or has no runAsUser set	kube-system	pod/ama-metrics-operator-targets-66fb46c8d6-vskdg	Not Set (Defaults to root)
Container config-reader runs as root or has no runAsUser set	kube-system	pod/ama-metrics-operator-targets-66fb46c8d6-vskdg	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-metrics-operator-targets-66fb46c8d6-vskdg	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/ama-metrics-operator-targets-66fb46c8d6-vskdg	Not Set (Defaults to root)
Container azure-ip-masq-agent runs as root or has no runAsUser set	kube-system	pod/azure-ip-masq-agent-4522j	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-ip-masq-agent-4522j	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-ip-masq-agent-4522j	Not Set (Defaults to root)
Container azure-ip-masq-agent runs as root or has no runAsUser set	kube-system	pod/azure-ip-masq-agent-4c7cr	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-ip-masq-agent-4c7cr	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-ip-masq-agent-4c7cr	Not Set (Defaults to root)
Container azure-ip-masq-agent runs as root or has no runAsUser set	kube-system	pod/azure-ip-masq-agent-78rnw	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-ip-masq-agent-78rnw	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-ip-masq-agent-78rnw	Not Set (Defaults to root)
Container azure-ip-masq-agent runs as root or has no runAsUser set	kube-system	pod/azure-ip-masq-agent-84ltn	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-ip-masq-agent-84ltn	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-ip-masq-agent-84ltn	Not Set (Defaults to root)
Container azure-ip-masq-agent runs as root or has no runAsUser set	kube-system	pod/azure-ip-masq-agent-t4c2w	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-ip-masq-agent-t4c2w	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-ip-masq-agent-t4c2w	Not Set (Defaults to root)
Container azure-ip-masq-agent runs as root or has no runAsUser set	kube-system	pod/azure-ip-masq-agent-vbdd8	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-ip-masq-agent-vbdd8	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-ip-masq-agent-vbdd8	Not Set (Defaults to root)
Container azure-npm runs as root or has no runAsUser set	kube-system	pod/azure-npm-jsbbh	Not Set (Defaults to root)
Container block-wireserver runs as root or has no runAsUser set	kube-system	pod/azure-npm-jsbbh	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-npm-jsbbh	Not Set (Defaults to root)
Container azure-npm runs as root or has no runAsUser set	kube-system	pod/azure-npm-lp6sf	Not Set (Defaults to root)
Container block-wireserver runs as root or has no runAsUser set	kube-system	pod/azure-npm-lp6sf	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-npm-lp6sf	Not Set (Defaults to root)
Container azure-npm runs as root or has no runAsUser set	kube-system	pod/azure-npm-nv6xx	Not Set (Defaults to root)
Container block-wireserver runs as root or has no runAsUser set	kube-system	pod/azure-npm-nv6xx	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-npm-nv6xx	Not Set (Defaults to root)
Container azure-npm runs as root or has no runAsUser set	kube-system	pod/azure-npm-p6fpw	Not Set (Defaults to root)
Container block-wireserver runs as root or has no runAsUser set	kube-system	pod/azure-npm-p6fpw	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-npm-p6fpw	Not Set (Defaults to root)
Container azure-npm runs as root or has no runAsUser set	kube-system	pod/azure-npm-vsrfp	Not Set (Defaults to root)
Container block-wireserver runs as root or has no runAsUser set	kube-system	pod/azure-npm-vsrfp	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-npm-vsrfp	Not Set (Defaults to root)
Container azure-npm runs as root or has no runAsUser set	kube-system	pod/azure-npm-z8mcz	Not Set (Defaults to root)
Container block-wireserver runs as root or has no runAsUser set	kube-system	pod/azure-npm-z8mcz	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-npm-z8mcz	Not Set (Defaults to root)
Container azure-policy runs as root or has no runAsUser set	kube-system	pod/azure-policy-698f7c86b4-nnff2	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-policy-698f7c86b4-nnff2	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-policy-698f7c86b4-nnff2	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-policy-webhook-764fdf5cd5-6vrc5	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-policy-webhook-764fdf5cd5-6vrc5	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-wi-webhook-controller-manager-7f95f666d4-7r44b	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-wi-webhook-controller-manager-7f95f666d4-7r44b	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-wi-webhook-controller-manager-7f95f666d4-xfh2p	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/azure-wi-webhook-controller-manager-7f95f666d4-xfh2p	Not Set (Defaults to root)
Container cloud-node-manager runs as root or has no runAsUser set	kube-system	pod/cloud-node-manager-57rk2	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/cloud-node-manager-57rk2	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/cloud-node-manager-57rk2	Not Set (Defaults to root)
Container cloud-node-manager runs as root or has no runAsUser set	kube-system	pod/cloud-node-manager-gl5xl	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/cloud-node-manager-gl5xl	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/cloud-node-manager-gl5xl	Not Set (Defaults to root)
Container cloud-node-manager runs as root or has no runAsUser set	kube-system	pod/cloud-node-manager-l7v5j	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/cloud-node-manager-l7v5j	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/cloud-node-manager-l7v5j	Not Set (Defaults to root)
Container cloud-node-manager runs as root or has no runAsUser set	kube-system	pod/cloud-node-manager-lr49d	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/cloud-node-manager-lr49d	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/cloud-node-manager-lr49d	Not Set (Defaults to root)
Container cloud-node-manager runs as root or has no runAsUser set	kube-system	pod/cloud-node-manager-n5qdr	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/cloud-node-manager-n5qdr	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/cloud-node-manager-n5qdr	Not Set (Defaults to root)
Container cloud-node-manager runs as root or has no runAsUser set	kube-system	pod/cloud-node-manager-xwrrd	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/cloud-node-manager-xwrrd	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/cloud-node-manager-xwrrd	Not Set (Defaults to root)
Container coredns runs as root or has no runAsUser set	kube-system	pod/coredns-658d6d767d-757xp	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/coredns-658d6d767d-757xp	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/coredns-658d6d767d-757xp	Not Set (Defaults to root)
Container coredns runs as root or has no runAsUser set	kube-system	pod/coredns-658d6d767d-pt6l6	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/coredns-658d6d767d-pt6l6	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/coredns-658d6d767d-pt6l6	Not Set (Defaults to root)
Container autoscaler runs as root or has no runAsUser set	kube-system	pod/coredns-autoscaler-5955d6bbdb-mz9kn	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/coredns-autoscaler-5955d6bbdb-mz9kn	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/coredns-autoscaler-5955d6bbdb-mz9kn	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/eraser-controller-manager-864f9476c8-lhdfc	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/eraser-controller-manager-864f9476c8-lhdfc	Not Set (Defaults to root)
Container konnectivity-agent runs as root or has no runAsUser set	kube-system	pod/konnectivity-agent-9f65c5cd8-fzm5q	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/konnectivity-agent-9f65c5cd8-fzm5q	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/konnectivity-agent-9f65c5cd8-fzm5q	Not Set (Defaults to root)
Container konnectivity-agent runs as root or has no runAsUser set	kube-system	pod/konnectivity-agent-9f65c5cd8-t9qdj	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/konnectivity-agent-9f65c5cd8-t9qdj	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/konnectivity-agent-9f65c5cd8-t9qdj	Not Set (Defaults to root)
Container autoscaler runs as root or has no runAsUser set	kube-system	pod/konnectivity-agent-autoscaler-cdfc7c46-vct7p	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/konnectivity-agent-autoscaler-cdfc7c46-vct7p	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/konnectivity-agent-autoscaler-cdfc7c46-vct7p	Not Set (Defaults to root)
Container kube-proxy runs as root or has no runAsUser set	kube-system	pod/kube-proxy-26xkd	Not Set (Defaults to root)
Container kube-proxy-bootstrap runs as root or has no runAsUser set	kube-system	pod/kube-proxy-26xkd	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/kube-proxy-26xkd	Not Set (Defaults to root)
Container kube-proxy runs as root or has no runAsUser set	kube-system	pod/kube-proxy-6mrql	Not Set (Defaults to root)
Container kube-proxy-bootstrap runs as root or has no runAsUser set	kube-system	pod/kube-proxy-6mrql	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/kube-proxy-6mrql	Not Set (Defaults to root)
Container kube-proxy runs as root or has no runAsUser set	kube-system	pod/kube-proxy-9rbxf	Not Set (Defaults to root)
Container kube-proxy-bootstrap runs as root or has no runAsUser set	kube-system	pod/kube-proxy-9rbxf	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/kube-proxy-9rbxf	Not Set (Defaults to root)
Container kube-proxy runs as root or has no runAsUser set	kube-system	pod/kube-proxy-njzgk	Not Set (Defaults to root)
Container kube-proxy-bootstrap runs as root or has no runAsUser set	kube-system	pod/kube-proxy-njzgk	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/kube-proxy-njzgk	Not Set (Defaults to root)
Container kube-proxy runs as root or has no runAsUser set	kube-system	pod/kube-proxy-rvmxl	Not Set (Defaults to root)
Container kube-proxy-bootstrap runs as root or has no runAsUser set	kube-system	pod/kube-proxy-rvmxl	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/kube-proxy-rvmxl	Not Set (Defaults to root)
Container kube-proxy runs as root or has no runAsUser set	kube-system	pod/kube-proxy-vp7xj	Not Set (Defaults to root)
Container kube-proxy-bootstrap runs as root or has no runAsUser set	kube-system	pod/kube-proxy-vp7xj	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/kube-proxy-vp7xj	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/metrics-server-5f9ccffcc4-jsrjl	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/metrics-server-5f9ccffcc4-jsrjl	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/metrics-server-5f9ccffcc4-v88pw	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/metrics-server-5f9ccffcc4-v88pw	Not Set (Defaults to root)
Container microsoft-defender-pod-collector runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-6xdfq	Not Set (Defaults to root)
Container microsoft-defender-low-level-collector runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-6xdfq	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-6xdfq	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-6xdfq	Not Set (Defaults to root)
Container microsoft-defender-pod-collector runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-89l74	Not Set (Defaults to root)
Container microsoft-defender-low-level-collector runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-89l74	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-89l74	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-89l74	Not Set (Defaults to root)
Container microsoft-defender-pod-collector runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-d7gwk	Not Set (Defaults to root)
Container microsoft-defender-low-level-collector runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-d7gwk	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-d7gwk	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-d7gwk	Not Set (Defaults to root)
Container microsoft-defender-pod-collector runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-mdcs8	Not Set (Defaults to root)
Container microsoft-defender-low-level-collector runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-mdcs8	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-mdcs8	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-mdcs8	Not Set (Defaults to root)
Container microsoft-defender-pod-collector runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-q6d6c	Not Set (Defaults to root)
Container microsoft-defender-low-level-collector runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-q6d6c	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-q6d6c	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-q6d6c	Not Set (Defaults to root)
Container microsoft-defender-pod-collector runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-wb5dm	Not Set (Defaults to root)
Container microsoft-defender-low-level-collector runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-wb5dm	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-wb5dm	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-ds-wb5dm	Not Set (Defaults to root)
Container microsoft-defender-pod-collector runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-misc-7df6776447-bcbph	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-misc-7df6776447-bcbph	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-collector-misc-7df6776447-bcbph	Not Set (Defaults to root)
Container microsoft-defender-publisher runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-publisher-ds-2ql5b	Not Set (Defaults to root)
Container old-file-cleaner runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-publisher-ds-2ql5b	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-publisher-ds-2ql5b	Not Set (Defaults to root)
Container microsoft-defender-publisher runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-publisher-ds-2rsrw	Not Set (Defaults to root)
Container old-file-cleaner runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-publisher-ds-2rsrw	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-publisher-ds-2rsrw	Not Set (Defaults to root)
Container microsoft-defender-publisher runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-publisher-ds-jj6dh	Not Set (Defaults to root)
Container old-file-cleaner runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-publisher-ds-jj6dh	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-publisher-ds-jj6dh	Not Set (Defaults to root)
Container microsoft-defender-publisher runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-publisher-ds-l5crs	Not Set (Defaults to root)
Container old-file-cleaner runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-publisher-ds-l5crs	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-publisher-ds-l5crs	Not Set (Defaults to root)
Container microsoft-defender-publisher runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-publisher-ds-lfk8h	Not Set (Defaults to root)
Container old-file-cleaner runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-publisher-ds-lfk8h	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-publisher-ds-lfk8h	Not Set (Defaults to root)
Container microsoft-defender-publisher runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-publisher-ds-vz2c6	Not Set (Defaults to root)
Container old-file-cleaner runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-publisher-ds-vz2c6	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/microsoft-defender-publisher-ds-vz2c6	Not Set (Defaults to root)
Container retina runs as root or has no runAsUser set	kube-system	pod/retina-agent-9g44d	Not Set (Defaults to root)
Container retina-agent-init runs as root or has no runAsUser set	kube-system	pod/retina-agent-9g44d	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/retina-agent-9g44d	Not Set (Defaults to root)
Container retina runs as root or has no runAsUser set	kube-system	pod/retina-agent-d6wf4	Not Set (Defaults to root)
Container retina-agent-init runs as root or has no runAsUser set	kube-system	pod/retina-agent-d6wf4	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/retina-agent-d6wf4	Not Set (Defaults to root)
Container retina runs as root or has no runAsUser set	kube-system	pod/retina-agent-gj4r5	Not Set (Defaults to root)
Container retina-agent-init runs as root or has no runAsUser set	kube-system	pod/retina-agent-gj4r5	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/retina-agent-gj4r5	Not Set (Defaults to root)
Container retina runs as root or has no runAsUser set	kube-system	pod/retina-agent-rndzh	Not Set (Defaults to root)
Container retina-agent-init runs as root or has no runAsUser set	kube-system	pod/retina-agent-rndzh	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/retina-agent-rndzh	Not Set (Defaults to root)
Container retina runs as root or has no runAsUser set	kube-system	pod/retina-agent-szggl	Not Set (Defaults to root)
Container retina-agent-init runs as root or has no runAsUser set	kube-system	pod/retina-agent-szggl	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/retina-agent-szggl	Not Set (Defaults to root)
Container retina runs as root or has no runAsUser set	kube-system	pod/retina-agent-t68m8	Not Set (Defaults to root)
Container retina-agent-init runs as root or has no runAsUser set	kube-system	pod/retina-agent-t68m8	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kube-system	pod/retina-agent-t68m8	Not Set (Defaults to root)
Container webserver-simple runs as root or has no runAsUser set	kubeview	pod/simple-deployment-74fd649f8d-qxp2r	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kubeview	pod/simple-deployment-74fd649f8d-qxp2r	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	kubeview	pod/simple-deployment-74fd649f8d-qxp2r	Not Set (Defaults to root)
Container webserver-simple runs as root or has no runAsUser set	linkerd	pod/simple-deployment-74fd649f8d-mkmst	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	linkerd	pod/simple-deployment-74fd649f8d-mkmst	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	linkerd	pod/simple-deployment-74fd649f8d-mkmst	Not Set (Defaults to root)
Container webserver-simple runs as root or has no runAsUser set	nginx	pod/simple-deployment-74fd649f8d-hlcdk	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	nginx	pod/simple-deployment-74fd649f8d-hlcdk	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	nginx	pod/simple-deployment-74fd649f8d-hlcdk	Not Set (Defaults to root)
Container order-service runs as root or has no runAsUser set	pets	pod/order-service-6c5bfb6946-b58xq	Not Set (Defaults to root)
Container wait-for-rabbitmq runs as root or has no runAsUser set	pets	pod/order-service-6c5bfb6946-b58xq	Not Set (Defaults to root)
Container istio-init runs as root or has no runAsUser set	pets	pod/order-service-6c5bfb6946-b58xq	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	pets	pod/order-service-6c5bfb6946-b58xq	Not Set (Defaults to root)
Container product-service runs as root or has no runAsUser set	pets	pod/product-service-5dd87dfb8-ssfxc	Not Set (Defaults to root)
Container istio-init runs as root or has no runAsUser set	pets	pod/product-service-5dd87dfb8-ssfxc	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	pets	pod/product-service-5dd87dfb8-ssfxc	Not Set (Defaults to root)
Container rabbitmq runs as root or has no runAsUser set	pets	pod/rabbitmq-0	Not Set (Defaults to root)
Container istio-init runs as root or has no runAsUser set	pets	pod/rabbitmq-0	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	pets	pod/rabbitmq-0	Not Set (Defaults to root)
Container store-front runs as root or has no runAsUser set	pets	pod/store-front-658994fd95-pk9qn	Not Set (Defaults to root)
Container istio-init runs as root or has no runAsUser set	pets	pod/store-front-658994fd95-pk9qn	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	pets	pod/store-front-658994fd95-pk9qn	Not Set (Defaults to root)
Container webserver-simple runs as root or has no runAsUser set	prometheus	pod/simple-deployment-74fd649f8d-2x6w5	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	prometheus	pod/simple-deployment-74fd649f8d-2x6w5	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	prometheus	pod/simple-deployment-74fd649f8d-2x6w5	Not Set (Defaults to root)
Container webserver-simple runs as root or has no runAsUser set	sealed-secrets	pod/simple-deployment-74fd649f8d-stktp	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	sealed-secrets	pod/simple-deployment-74fd649f8d-stktp	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	sealed-secrets	pod/simple-deployment-74fd649f8d-stktp	Not Set (Defaults to root)
Container webserver-simple runs as root or has no runAsUser set	test	pod/simple-deployment-74fd649f8d-lhlkx	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	test	pod/simple-deployment-74fd649f8d-lhlkx	Not Set (Defaults to root)
Container runs as root or has no runAsUser set	test	pod/simple-deployment-74fd649f8d-lhlkx	Not Set (Defaults to root)

SEC004 - Privileged Containers iDetects containers running with privileged mode enabled.

⚠️ Total Pods with Issues: 37

Show Findings

Recommendations

🚫 Disable Privileged Containers

Remove securityContext.privileged: true from container specs.
Refactor workloads to avoid needing host-level access.
Enforce restrictions using Pod Security Policies or OPA/Gatekeeper.
Limit use to dedicated namespaces with strict controls.

Message	Namespace	Resource	Value
Container 'secrets-store' is running in privileged mode	kube-system	pod/aks-secrets-store-csi-driver-2l2wl	privileged=true
Container 'secrets-store' is running in privileged mode	kube-system	pod/aks-secrets-store-csi-driver-6w2vp	privileged=true
Container 'secrets-store' is running in privileged mode	kube-system	pod/aks-secrets-store-csi-driver-7879c	privileged=true
Container 'secrets-store' is running in privileged mode	kube-system	pod/aks-secrets-store-csi-driver-m8m29	privileged=true
Container 'secrets-store' is running in privileged mode	kube-system	pod/aks-secrets-store-csi-driver-vnmcd	privileged=true
Container 'secrets-store' is running in privileged mode	kube-system	pod/aks-secrets-store-csi-driver-zrfbz	privileged=true
Container 'ama-logs' is running in privileged mode	kube-system	pod/ama-logs-4v8mz	privileged=true
Container 'ama-logs-prometheus' is running in privileged mode	kube-system	pod/ama-logs-4v8mz	privileged=true
Container 'ama-logs' is running in privileged mode	kube-system	pod/ama-logs-5vr2w	privileged=true
Container 'ama-logs-prometheus' is running in privileged mode	kube-system	pod/ama-logs-5vr2w	privileged=true
Container 'ama-logs' is running in privileged mode	kube-system	pod/ama-logs-fmd7b	privileged=true
Container 'ama-logs-prometheus' is running in privileged mode	kube-system	pod/ama-logs-fmd7b	privileged=true
Container 'ama-logs' is running in privileged mode	kube-system	pod/ama-logs-fpkw6	privileged=true
Container 'ama-logs-prometheus' is running in privileged mode	kube-system	pod/ama-logs-fpkw6	privileged=true
Container 'ama-logs' is running in privileged mode	kube-system	pod/ama-logs-gqs28	privileged=true
Container 'ama-logs-prometheus' is running in privileged mode	kube-system	pod/ama-logs-gqs28	privileged=true
Container 'ama-logs' is running in privileged mode	kube-system	pod/ama-logs-ndxrw	privileged=true
Container 'ama-logs-prometheus' is running in privileged mode	kube-system	pod/ama-logs-ndxrw	privileged=true
Container 'ama-logs' is running in privileged mode	kube-system	pod/ama-logs-rs-64765bd4b9-ldxwl	privileged=true
Container 'kube-proxy' is running in privileged mode	kube-system	pod/kube-proxy-26xkd	privileged=true
Container 'kube-proxy-bootstrap' is running in privileged mode	kube-system	pod/kube-proxy-26xkd	privileged=true
Container 'kube-proxy' is running in privileged mode	kube-system	pod/kube-proxy-6mrql	privileged=true
Container 'kube-proxy-bootstrap' is running in privileged mode	kube-system	pod/kube-proxy-6mrql	privileged=true
Container 'kube-proxy' is running in privileged mode	kube-system	pod/kube-proxy-9rbxf	privileged=true
Container 'kube-proxy-bootstrap' is running in privileged mode	kube-system	pod/kube-proxy-9rbxf	privileged=true
Container 'kube-proxy' is running in privileged mode	kube-system	pod/kube-proxy-njzgk	privileged=true
Container 'kube-proxy-bootstrap' is running in privileged mode	kube-system	pod/kube-proxy-njzgk	privileged=true
Container 'kube-proxy' is running in privileged mode	kube-system	pod/kube-proxy-rvmxl	privileged=true
Container 'kube-proxy-bootstrap' is running in privileged mode	kube-system	pod/kube-proxy-rvmxl	privileged=true
Container 'kube-proxy' is running in privileged mode	kube-system	pod/kube-proxy-vp7xj	privileged=true
Container 'kube-proxy-bootstrap' is running in privileged mode	kube-system	pod/kube-proxy-vp7xj	privileged=true
Container 'retina-agent-init' is running in privileged mode	kube-system	pod/retina-agent-9g44d	privileged=true
Container 'retina-agent-init' is running in privileged mode	kube-system	pod/retina-agent-d6wf4	privileged=true
Container 'retina-agent-init' is running in privileged mode	kube-system	pod/retina-agent-gj4r5	privileged=true
Container 'retina-agent-init' is running in privileged mode	kube-system	pod/retina-agent-rndzh	privileged=true
Container 'retina-agent-init' is running in privileged mode	kube-system	pod/retina-agent-szggl	privileged=true
Container 'retina-agent-init' is running in privileged mode	kube-system	pod/retina-agent-t68m8	privileged=true

SEC005 - Pods Using hostIPC iDetects pods that use hostIPC, which can compromise pod isolation and allow access to shared memory on the host.

✅ All Pods are healthy.

SEC006 - Pods Missing Secure Defaults iChecks if pods are missing recommended securityContext fields such as runAsNonRoot, readOnlyRootFilesystem, or allowPrivilegeEscalation.

⚠️ Total Pods with Issues: 151

Show Findings

Recommendations

Set securityContext.runAsNonRoot: true
Set securityContext.readOnlyRootFilesystem: true
Set securityContext.allowPrivilegeEscalation: false

Container	Flags	Issue	Namespace	Pod
controller	runAsNonRoot: True, readOnlyRootFilesystem: , allowPrivilegeEscalation: False	Missing one or more secure defaults	app-routing-system	nginx-69fcb489fd-4wgk9
controller	runAsNonRoot: True, readOnlyRootFilesystem: , allowPrivilegeEscalation: False	Missing one or more secure defaults	app-routing-system	nginx-69fcb489fd-64v6k
webserver-simple	Missing securityContext	No securityContext defined	argo-rollouts	simple-deployment-74fd649f8d-996vt
webserver-simple	Missing securityContext	No securityContext defined	argo-workflows	simple-deployment-74fd649f8d-24t56
argocd-notifications-controller	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	argocd	argocd-notifications-controller-6ff6bf8dd6-nbktr
haproxy	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	argocd	argocd-redis-ha-haproxy-fb657456c-kjbkq
haproxy	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	argocd	argocd-redis-ha-haproxy-fb657456c-kjlpf
haproxy	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	argocd	argocd-redis-ha-haproxy-fb657456c-tnjmb
redis	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	argocd	argocd-redis-ha-server-0
sentinel	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	argocd	argocd-redis-ha-server-0
split-brain-fix	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	argocd	argocd-redis-ha-server-0
redis	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	argocd	argocd-redis-ha-server-1
sentinel	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	argocd	argocd-redis-ha-server-1
split-brain-fix	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	argocd	argocd-redis-ha-server-1
redis	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	argocd	argocd-redis-ha-server-2
sentinel	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	argocd	argocd-redis-ha-server-2
split-brain-fix	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	argocd	argocd-redis-ha-server-2
webserver-simple	Missing securityContext	No securityContext defined	cert-manager	simple-deployment-74fd649f8d-7cht8
webserver-simple	Missing securityContext	No securityContext defined	grafana	simple-deployment-74fd649f8d-l7wrd
node-driver-registrar	Missing securityContext	No securityContext defined	kube-system	aks-secrets-store-csi-driver-2l2wl
secrets-store	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	aks-secrets-store-csi-driver-2l2wl
liveness-probe	Missing securityContext	No securityContext defined	kube-system	aks-secrets-store-csi-driver-2l2wl
node-driver-registrar	Missing securityContext	No securityContext defined	kube-system	aks-secrets-store-csi-driver-6w2vp
secrets-store	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	aks-secrets-store-csi-driver-6w2vp
liveness-probe	Missing securityContext	No securityContext defined	kube-system	aks-secrets-store-csi-driver-6w2vp
node-driver-registrar	Missing securityContext	No securityContext defined	kube-system	aks-secrets-store-csi-driver-7879c
secrets-store	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	aks-secrets-store-csi-driver-7879c
liveness-probe	Missing securityContext	No securityContext defined	kube-system	aks-secrets-store-csi-driver-7879c
node-driver-registrar	Missing securityContext	No securityContext defined	kube-system	aks-secrets-store-csi-driver-m8m29
secrets-store	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	aks-secrets-store-csi-driver-m8m29
liveness-probe	Missing securityContext	No securityContext defined	kube-system	aks-secrets-store-csi-driver-m8m29
node-driver-registrar	Missing securityContext	No securityContext defined	kube-system	aks-secrets-store-csi-driver-vnmcd
secrets-store	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	aks-secrets-store-csi-driver-vnmcd
liveness-probe	Missing securityContext	No securityContext defined	kube-system	aks-secrets-store-csi-driver-vnmcd
node-driver-registrar	Missing securityContext	No securityContext defined	kube-system	aks-secrets-store-csi-driver-zrfbz
secrets-store	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	aks-secrets-store-csi-driver-zrfbz
liveness-probe	Missing securityContext	No securityContext defined	kube-system	aks-secrets-store-csi-driver-zrfbz
provider-azure-installer	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	aks-secrets-store-provider-azure-68nhw
provider-azure-installer	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	aks-secrets-store-provider-azure-7bqmn
provider-azure-installer	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	aks-secrets-store-provider-azure-7r458
provider-azure-installer	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	aks-secrets-store-provider-azure-k9tdc
provider-azure-installer	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	aks-secrets-store-provider-azure-n952g
provider-azure-installer	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	aks-secrets-store-provider-azure-njpqh
ama-logs	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-logs-4v8mz
ama-logs-prometheus	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-logs-4v8mz
ama-logs	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-logs-5vr2w
ama-logs-prometheus	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-logs-5vr2w
ama-logs	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-logs-fmd7b
ama-logs-prometheus	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-logs-fmd7b
ama-logs	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-logs-fpkw6
ama-logs-prometheus	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-logs-fpkw6
ama-logs	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-logs-gqs28
ama-logs-prometheus	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-logs-gqs28
ama-logs	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-logs-ndxrw
ama-logs-prometheus	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-logs-ndxrw
ama-logs	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-logs-rs-64765bd4b9-ldxwl
prometheus-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-7f878d975f-hlggb
addon-token-adapter	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-7f878d975f-hlggb
prometheus-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-7f878d975f-q2mlg
addon-token-adapter	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-7f878d975f-q2mlg
ama-metrics-ksm	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-ksm-5bd68b9c-8l9lp
prometheus-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-node-2ssrw
addon-token-adapter	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-node-2ssrw
prometheus-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-node-6kkz8
addon-token-adapter	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-node-6kkz8
prometheus-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-node-9h44h
addon-token-adapter	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-node-9h44h
prometheus-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-node-lhk42
addon-token-adapter	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-node-lhk42
prometheus-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-node-nm5bf
addon-token-adapter	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-node-nm5bf
prometheus-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-node-pqcz5
addon-token-adapter	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-node-pqcz5
targetallocator	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-operator-targets-66fb46c8d6-vskdg
config-reader	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	ama-metrics-operator-targets-66fb46c8d6-vskdg
azure-ip-masq-agent	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	azure-ip-masq-agent-4522j
azure-ip-masq-agent	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	azure-ip-masq-agent-4c7cr
azure-ip-masq-agent	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	azure-ip-masq-agent-78rnw
azure-ip-masq-agent	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	azure-ip-masq-agent-84ltn
azure-ip-masq-agent	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	azure-ip-masq-agent-t4c2w
azure-ip-masq-agent	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	azure-ip-masq-agent-vbdd8
azure-npm	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	azure-npm-jsbbh
azure-npm	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	azure-npm-lp6sf
azure-npm	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	azure-npm-nv6xx
azure-npm	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	azure-npm-p6fpw
azure-npm	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	azure-npm-vsrfp
azure-npm	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	azure-npm-z8mcz
azure-policy	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	kube-system	azure-policy-698f7c86b4-nnff2
cloud-node-manager	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	cloud-node-manager-57rk2
cloud-node-manager	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	cloud-node-manager-gl5xl
cloud-node-manager	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	cloud-node-manager-l7v5j
cloud-node-manager	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	cloud-node-manager-lr49d
cloud-node-manager	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	cloud-node-manager-n5qdr
cloud-node-manager	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	cloud-node-manager-xwrrd
coredns	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	kube-system	coredns-658d6d767d-757xp
coredns	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	kube-system	coredns-658d6d767d-pt6l6
autoscaler	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	coredns-autoscaler-5955d6bbdb-mz9kn
keda-admission-webhooks	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	kube-system	keda-admission-webhooks-787f866c7c-4b64k
keda-admission-webhooks	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	kube-system	keda-admission-webhooks-787f866c7c-dw2sg
keda-operator	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	kube-system	keda-operator-6b85944bfb-4zpbp
keda-operator	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	kube-system	keda-operator-6b85944bfb-sx9sj
keda-operator-metrics-apiserver	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	kube-system	keda-operator-metrics-apiserver-8468875db7-86c5h
keda-operator-metrics-apiserver	runAsNonRoot: , readOnlyRootFilesystem: True, allowPrivilegeEscalation: False	Missing one or more secure defaults	kube-system	keda-operator-metrics-apiserver-8468875db7-ngp4h
konnectivity-agent	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	konnectivity-agent-9f65c5cd8-fzm5q
konnectivity-agent	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	konnectivity-agent-9f65c5cd8-t9qdj
autoscaler	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	konnectivity-agent-autoscaler-cdfc7c46-vct7p
kube-proxy	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	kube-proxy-26xkd
kube-proxy	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	kube-proxy-6mrql
kube-proxy	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	kube-proxy-9rbxf
kube-proxy	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	kube-proxy-njzgk
kube-proxy	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	kube-proxy-rvmxl
kube-proxy	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	kube-proxy-vp7xj
microsoft-defender-pod-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-collector-ds-6xdfq
microsoft-defender-low-level-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-collector-ds-6xdfq
microsoft-defender-pod-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-collector-ds-89l74
microsoft-defender-low-level-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-collector-ds-89l74
microsoft-defender-pod-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-collector-ds-d7gwk
microsoft-defender-low-level-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-collector-ds-d7gwk
microsoft-defender-pod-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-collector-ds-mdcs8
microsoft-defender-low-level-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-collector-ds-mdcs8
microsoft-defender-pod-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-collector-ds-q6d6c
microsoft-defender-low-level-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-collector-ds-q6d6c
microsoft-defender-pod-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-collector-ds-wb5dm
microsoft-defender-low-level-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-collector-ds-wb5dm
microsoft-defender-pod-collector	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-collector-misc-7df6776447-bcbph
microsoft-defender-publisher	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-publisher-ds-2ql5b
microsoft-defender-publisher	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-publisher-ds-2rsrw
microsoft-defender-publisher	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-publisher-ds-jj6dh
microsoft-defender-publisher	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-publisher-ds-l5crs
microsoft-defender-publisher	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-publisher-ds-lfk8h
microsoft-defender-publisher	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	microsoft-defender-publisher-ds-vz2c6
retina	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	retina-agent-9g44d
retina	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	retina-agent-d6wf4
retina	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	retina-agent-gj4r5
retina	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	retina-agent-rndzh
retina	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	retina-agent-szggl
retina	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	retina-agent-t68m8
admission-controller	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	vpa-admission-controller-7d9f8d57bd-lrcch
admission-controller	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	vpa-admission-controller-7d9f8d57bd-tnqvx
recommender	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	vpa-recommender-74bfff7f75-sspdc
updater	runAsNonRoot: , readOnlyRootFilesystem: , allowPrivilegeEscalation:	Missing one or more secure defaults	kube-system	vpa-updater-5d6d49f8b6-pxkz8
webserver-simple	Missing securityContext	No securityContext defined	kubeview	simple-deployment-74fd649f8d-qxp2r
webserver-simple	Missing securityContext	No securityContext defined	linkerd	simple-deployment-74fd649f8d-mkmst
webserver-simple	Missing securityContext	No securityContext defined	nginx	simple-deployment-74fd649f8d-hlcdk
order-service	Missing securityContext	No securityContext defined	pets	order-service-6c5bfb6946-b58xq
product-service	Missing securityContext	No securityContext defined	pets	product-service-5dd87dfb8-ssfxc
rabbitmq	Missing securityContext	No securityContext defined	pets	rabbitmq-0
store-front	Missing securityContext	No securityContext defined	pets	store-front-658994fd95-pk9qn
webserver-simple	Missing securityContext	No securityContext defined	prometheus	simple-deployment-74fd649f8d-2x6w5
webserver-simple	Missing securityContext	No securityContext defined	sealed-secrets	simple-deployment-74fd649f8d-stktp
webserver-simple	Missing securityContext	No securityContext defined	test	simple-deployment-74fd649f8d-lhlkx

SEC007 - Missing Pod Security Admission Labels iChecks if namespaces are missing the 'pod-security.kubernetes.io/enforce' label required for Pod Security Admission enforcement.

⚠️ Total Namespaces with Issues: 32

Show Findings

Recommendations

Set pod-security.kubernetes.io/enforce=restricted on sensitive namespaces.
Optionally use enforce-version and audit labels.

Audit	Issue	Namespace	Warn
N/A	No pod security labels	1	N/A
N/A	No pod security labels	10	N/A
N/A	No pod security labels	2	N/A
N/A	No pod security labels	3	N/A
N/A	No pod security labels	4	N/A
N/A	No pod security labels	5	N/A
N/A	No pod security labels	6	N/A
N/A	No pod security labels	7	N/A
N/A	No pod security labels	8	N/A
N/A	No pod security labels	9	N/A
N/A	No pod security labels	aks-istio-egress	N/A
N/A	No pod security labels	aks-istio-ingress	N/A
N/A	No pod security labels	aks-istio-system	N/A
N/A	No pod security labels	app-routing-system	N/A
N/A	No pod security labels	argo-rollouts	N/A
N/A	No pod security labels	argo-workflows	N/A
N/A	No pod security labels	argocd	N/A
N/A	No pod security labels	cert-manager	N/A
N/A	No pod security labels	default	N/A
N/A	No pod security labels	gatekeeper-system	N/A
N/A	No pod security labels	grafana	N/A
N/A	No pod security labels	kiali-operator	N/A
N/A	No pod security labels	kube-node-lease	N/A
N/A	No pod security labels	kube-public	N/A
N/A	No pod security labels	kube-system	N/A
N/A	No pod security labels	kubeview	N/A
N/A	No pod security labels	linkerd	N/A
N/A	No pod security labels	nginx	N/A
N/A	No pod security labels	pets	N/A
N/A	No pod security labels	prometheus	N/A
N/A	No pod security labels	sealed-secrets	N/A
N/A	No pod security labels	test	N/A

SEC008 - Secrets in Environment Variables iDetects secrets injected into pods via environment variables using env.valueFrom.secretKeyRef. `n This makes secrets easier to leak through logs or /proc inspection.

⚠️ Total Pods with Issues: 20

Show Findings

Recommendations

Use secret volumes instead of env vars to reduce accidental exposure.
Avoid using valueFrom.secretKeyRef in env.
Limit permissions to read secrets.

EnvVar	Issue	Namespace	Pod
env: REDIS_PASSWORD	Secret argocd-redis exposed via env var in container argocd-application-controller	argocd	pod/argocd-application-controller-0
env: AUTH	Secret argocd-redis exposed via env var in container haproxy	argocd	pod/argocd-redis-ha-haproxy-fb657456c-kjbkq
env: AUTH	Secret argocd-redis exposed via env var in container haproxy	argocd	pod/argocd-redis-ha-haproxy-fb657456c-kjlpf
env: AUTH	Secret argocd-redis exposed via env var in container haproxy	argocd	pod/argocd-redis-ha-haproxy-fb657456c-tnjmb
env: AUTH	Secret argocd-redis exposed via env var in container redis	argocd	pod/argocd-redis-ha-server-0
env: AUTH	Secret argocd-redis exposed via env var in container sentinel	argocd	pod/argocd-redis-ha-server-0
env: AUTH	Secret argocd-redis exposed via env var in container split-brain-fix	argocd	pod/argocd-redis-ha-server-0
env: AUTH	Secret argocd-redis exposed via env var in container config-init	argocd	pod/argocd-redis-ha-server-0
env: AUTH	Secret argocd-redis exposed via env var in container redis	argocd	pod/argocd-redis-ha-server-1
env: AUTH	Secret argocd-redis exposed via env var in container sentinel	argocd	pod/argocd-redis-ha-server-1
env: AUTH	Secret argocd-redis exposed via env var in container split-brain-fix	argocd	pod/argocd-redis-ha-server-1
env: AUTH	Secret argocd-redis exposed via env var in container config-init	argocd	pod/argocd-redis-ha-server-1
env: AUTH	Secret argocd-redis exposed via env var in container redis	argocd	pod/argocd-redis-ha-server-2
env: AUTH	Secret argocd-redis exposed via env var in container sentinel	argocd	pod/argocd-redis-ha-server-2
env: AUTH	Secret argocd-redis exposed via env var in container split-brain-fix	argocd	pod/argocd-redis-ha-server-2
env: AUTH	Secret argocd-redis exposed via env var in container config-init	argocd	pod/argocd-redis-ha-server-2
env: REDIS_PASSWORD	Secret argocd-redis exposed via env var in container argocd-repo-server	argocd	pod/argocd-repo-server-8568fc89b5-sx6ks
env: REDIS_PASSWORD	Secret argocd-redis exposed via env var in container argocd-repo-server	argocd	pod/argocd-repo-server-8568fc89b5-xrzzn
env: REDIS_PASSWORD	Secret argocd-redis exposed via env var in container argocd-server	argocd	pod/argocd-server-c5b86c885-2zqmx
env: REDIS_PASSWORD	Secret argocd-redis exposed via env var in container argocd-server	argocd	pod/argocd-server-c5b86c885-zlzd5

SEC009 - Missing Capabilities Drop iChecks containers that don't drop all Linux capabilities via securityContext.capabilities.drop = ['ALL'].

⚠️ Total Pods with Issues: 38

Show Findings

Recommendations

Set securityContext.capabilities.drop: ['ALL'] in container spec.
Allow only required capabilities via add list, if any.

Container	Issue	Namespace	Pod
webserver-simple	Does not drop ALL capabilities	argo-rollouts	simple-deployment-74fd649f8d-996vt
webserver-simple	Does not drop ALL capabilities	argo-workflows	simple-deployment-74fd649f8d-24t56
webserver-simple	Does not drop ALL capabilities	cert-manager	simple-deployment-74fd649f8d-7cht8
webserver-simple	Does not drop ALL capabilities	grafana	simple-deployment-74fd649f8d-l7wrd
node-driver-registrar	Does not drop ALL capabilities	kube-system	aks-secrets-store-csi-driver-2l2wl
secrets-store	Does not drop ALL capabilities	kube-system	aks-secrets-store-csi-driver-2l2wl
liveness-probe	Does not drop ALL capabilities	kube-system	aks-secrets-store-csi-driver-2l2wl
node-driver-registrar	Does not drop ALL capabilities	kube-system	aks-secrets-store-csi-driver-6w2vp
secrets-store	Does not drop ALL capabilities	kube-system	aks-secrets-store-csi-driver-6w2vp
liveness-probe	Does not drop ALL capabilities	kube-system	aks-secrets-store-csi-driver-6w2vp
node-driver-registrar	Does not drop ALL capabilities	kube-system	aks-secrets-store-csi-driver-7879c
secrets-store	Does not drop ALL capabilities	kube-system	aks-secrets-store-csi-driver-7879c
liveness-probe	Does not drop ALL capabilities	kube-system	aks-secrets-store-csi-driver-7879c
node-driver-registrar	Does not drop ALL capabilities	kube-system	aks-secrets-store-csi-driver-m8m29
secrets-store	Does not drop ALL capabilities	kube-system	aks-secrets-store-csi-driver-m8m29
liveness-probe	Does not drop ALL capabilities	kube-system	aks-secrets-store-csi-driver-m8m29
node-driver-registrar	Does not drop ALL capabilities	kube-system	aks-secrets-store-csi-driver-vnmcd
secrets-store	Does not drop ALL capabilities	kube-system	aks-secrets-store-csi-driver-vnmcd
liveness-probe	Does not drop ALL capabilities	kube-system	aks-secrets-store-csi-driver-vnmcd
node-driver-registrar	Does not drop ALL capabilities	kube-system	aks-secrets-store-csi-driver-zrfbz
secrets-store	Does not drop ALL capabilities	kube-system	aks-secrets-store-csi-driver-zrfbz
liveness-probe	Does not drop ALL capabilities	kube-system	aks-secrets-store-csi-driver-zrfbz
kube-proxy	Does not drop ALL capabilities	kube-system	kube-proxy-26xkd
kube-proxy	Does not drop ALL capabilities	kube-system	kube-proxy-6mrql
kube-proxy	Does not drop ALL capabilities	kube-system	kube-proxy-9rbxf
kube-proxy	Does not drop ALL capabilities	kube-system	kube-proxy-njzgk
kube-proxy	Does not drop ALL capabilities	kube-system	kube-proxy-rvmxl
kube-proxy	Does not drop ALL capabilities	kube-system	kube-proxy-vp7xj
webserver-simple	Does not drop ALL capabilities	kubeview	simple-deployment-74fd649f8d-qxp2r
webserver-simple	Does not drop ALL capabilities	linkerd	simple-deployment-74fd649f8d-mkmst
webserver-simple	Does not drop ALL capabilities	nginx	simple-deployment-74fd649f8d-hlcdk
order-service	Does not drop ALL capabilities	pets	order-service-6c5bfb6946-b58xq
product-service	Does not drop ALL capabilities	pets	product-service-5dd87dfb8-ssfxc
rabbitmq	Does not drop ALL capabilities	pets	rabbitmq-0
store-front	Does not drop ALL capabilities	pets	store-front-658994fd95-pk9qn
webserver-simple	Does not drop ALL capabilities	prometheus	simple-deployment-74fd649f8d-2x6w5
webserver-simple	Does not drop ALL capabilities	sealed-secrets	simple-deployment-74fd649f8d-stktp
webserver-simple	Does not drop ALL capabilities	test	simple-deployment-74fd649f8d-lhlkx

SEC010 - HostPath Volume Usage iFlags pods that use hostPath volumes, which mount parts of the host filesystem. This bypasses isolation and can be dangerous if misused.

⚠️ Total Pods with Issues: 303

Show Findings

Recommendations

Remove hostPath volumes unless needed for host-level access.
Consider alternatives like persistent volume claims or configMaps.

Issue	Namespace	Path	Pod	Volume
hostPath volume used	kube-system	/var/lib/kubelet/pods	aks-secrets-store-csi-driver-2l2wl	mountpoint-dir
hostPath volume used	kube-system	/var/lib/kubelet/plugins_registry/	aks-secrets-store-csi-driver-2l2wl	registration-dir
hostPath volume used	kube-system	/var/lib/kubelet/plugins/csi-secrets-store/	aks-secrets-store-csi-driver-2l2wl	plugin-dir
hostPath volume used	kube-system	/var/run/secrets-store-csi-providers	aks-secrets-store-csi-driver-2l2wl	providers-dir
hostPath volume used	kube-system	/etc/kubernetes/secrets-store-csi-providers	aks-secrets-store-csi-driver-2l2wl	providers-dir-0
hostPath volume used	kube-system	/var/lib/kubelet/pods	aks-secrets-store-csi-driver-6w2vp	mountpoint-dir
hostPath volume used	kube-system	/var/lib/kubelet/plugins_registry/	aks-secrets-store-csi-driver-6w2vp	registration-dir
hostPath volume used	kube-system	/var/lib/kubelet/plugins/csi-secrets-store/	aks-secrets-store-csi-driver-6w2vp	plugin-dir
hostPath volume used	kube-system	/var/run/secrets-store-csi-providers	aks-secrets-store-csi-driver-6w2vp	providers-dir
hostPath volume used	kube-system	/etc/kubernetes/secrets-store-csi-providers	aks-secrets-store-csi-driver-6w2vp	providers-dir-0
hostPath volume used	kube-system	/var/lib/kubelet/pods	aks-secrets-store-csi-driver-7879c	mountpoint-dir
hostPath volume used	kube-system	/var/lib/kubelet/plugins_registry/	aks-secrets-store-csi-driver-7879c	registration-dir
hostPath volume used	kube-system	/var/lib/kubelet/plugins/csi-secrets-store/	aks-secrets-store-csi-driver-7879c	plugin-dir
hostPath volume used	kube-system	/var/run/secrets-store-csi-providers	aks-secrets-store-csi-driver-7879c	providers-dir
hostPath volume used	kube-system	/etc/kubernetes/secrets-store-csi-providers	aks-secrets-store-csi-driver-7879c	providers-dir-0
hostPath volume used	kube-system	/var/lib/kubelet/pods	aks-secrets-store-csi-driver-m8m29	mountpoint-dir
hostPath volume used	kube-system	/var/lib/kubelet/plugins_registry/	aks-secrets-store-csi-driver-m8m29	registration-dir
hostPath volume used	kube-system	/var/lib/kubelet/plugins/csi-secrets-store/	aks-secrets-store-csi-driver-m8m29	plugin-dir
hostPath volume used	kube-system	/var/run/secrets-store-csi-providers	aks-secrets-store-csi-driver-m8m29	providers-dir
hostPath volume used	kube-system	/etc/kubernetes/secrets-store-csi-providers	aks-secrets-store-csi-driver-m8m29	providers-dir-0
hostPath volume used	kube-system	/var/lib/kubelet/pods	aks-secrets-store-csi-driver-vnmcd	mountpoint-dir
hostPath volume used	kube-system	/var/lib/kubelet/plugins_registry/	aks-secrets-store-csi-driver-vnmcd	registration-dir
hostPath volume used	kube-system	/var/lib/kubelet/plugins/csi-secrets-store/	aks-secrets-store-csi-driver-vnmcd	plugin-dir
hostPath volume used	kube-system	/var/run/secrets-store-csi-providers	aks-secrets-store-csi-driver-vnmcd	providers-dir
hostPath volume used	kube-system	/etc/kubernetes/secrets-store-csi-providers	aks-secrets-store-csi-driver-vnmcd	providers-dir-0
hostPath volume used	kube-system	/var/lib/kubelet/pods	aks-secrets-store-csi-driver-zrfbz	mountpoint-dir
hostPath volume used	kube-system	/var/lib/kubelet/plugins_registry/	aks-secrets-store-csi-driver-zrfbz	registration-dir
hostPath volume used	kube-system	/var/lib/kubelet/plugins/csi-secrets-store/	aks-secrets-store-csi-driver-zrfbz	plugin-dir
hostPath volume used	kube-system	/var/run/secrets-store-csi-providers	aks-secrets-store-csi-driver-zrfbz	providers-dir
hostPath volume used	kube-system	/etc/kubernetes/secrets-store-csi-providers	aks-secrets-store-csi-driver-zrfbz	providers-dir-0
hostPath volume used	kube-system	/var/run/secrets-store-csi-providers	aks-secrets-store-provider-azure-68nhw	provider-vol
hostPath volume used	kube-system	/var/run/secrets-store-csi-providers	aks-secrets-store-provider-azure-7bqmn	provider-vol
hostPath volume used	kube-system	/var/run/secrets-store-csi-providers	aks-secrets-store-provider-azure-7r458	provider-vol
hostPath volume used	kube-system	/var/run/secrets-store-csi-providers	aks-secrets-store-provider-azure-k9tdc	provider-vol
hostPath volume used	kube-system	/var/run/secrets-store-csi-providers	aks-secrets-store-provider-azure-n952g	provider-vol
hostPath volume used	kube-system	/var/run/secrets-store-csi-providers	aks-secrets-store-provider-azure-njpqh	provider-vol
hostPath volume used	kube-system	/	ama-logs-4v8mz	host-root
hostPath volume used	kube-system	/etc/hostname	ama-logs-4v8mz	container-hostname
hostPath volume used	kube-system	/var/log	ama-logs-4v8mz	host-log
hostPath volume used	kube-system	/var/run/mdsd-ci	ama-logs-4v8mz	mdsd-sock
hostPath volume used	kube-system	/var/lib/docker/containers	ama-logs-4v8mz	containerlog-path
hostPath volume used	kube-system	/mnt/docker	ama-logs-4v8mz	containerlog-path-2
hostPath volume used	kube-system	/mnt/containers	ama-logs-4v8mz	containerlog-path-3
hostPath volume used	kube-system	/etc/kubernetes	ama-logs-4v8mz	azure-json-path
hostPath volume used	kube-system	/	ama-logs-5vr2w	host-root
hostPath volume used	kube-system	/etc/hostname	ama-logs-5vr2w	container-hostname
hostPath volume used	kube-system	/var/log	ama-logs-5vr2w	host-log
hostPath volume used	kube-system	/var/run/mdsd-ci	ama-logs-5vr2w	mdsd-sock
hostPath volume used	kube-system	/var/lib/docker/containers	ama-logs-5vr2w	containerlog-path
hostPath volume used	kube-system	/mnt/docker	ama-logs-5vr2w	containerlog-path-2
hostPath volume used	kube-system	/mnt/containers	ama-logs-5vr2w	containerlog-path-3
hostPath volume used	kube-system	/etc/kubernetes	ama-logs-5vr2w	azure-json-path
hostPath volume used	kube-system	/	ama-logs-fmd7b	host-root
hostPath volume used	kube-system	/etc/hostname	ama-logs-fmd7b	container-hostname
hostPath volume used	kube-system	/var/log	ama-logs-fmd7b	host-log
hostPath volume used	kube-system	/var/run/mdsd-ci	ama-logs-fmd7b	mdsd-sock
hostPath volume used	kube-system	/var/lib/docker/containers	ama-logs-fmd7b	containerlog-path
hostPath volume used	kube-system	/mnt/docker	ama-logs-fmd7b	containerlog-path-2
hostPath volume used	kube-system	/mnt/containers	ama-logs-fmd7b	containerlog-path-3
hostPath volume used	kube-system	/etc/kubernetes	ama-logs-fmd7b	azure-json-path
hostPath volume used	kube-system	/	ama-logs-fpkw6	host-root
hostPath volume used	kube-system	/etc/hostname	ama-logs-fpkw6	container-hostname
hostPath volume used	kube-system	/var/log	ama-logs-fpkw6	host-log
hostPath volume used	kube-system	/var/run/mdsd-ci	ama-logs-fpkw6	mdsd-sock
hostPath volume used	kube-system	/var/lib/docker/containers	ama-logs-fpkw6	containerlog-path
hostPath volume used	kube-system	/mnt/docker	ama-logs-fpkw6	containerlog-path-2
hostPath volume used	kube-system	/mnt/containers	ama-logs-fpkw6	containerlog-path-3
hostPath volume used	kube-system	/etc/kubernetes	ama-logs-fpkw6	azure-json-path
hostPath volume used	kube-system	/	ama-logs-gqs28	host-root
hostPath volume used	kube-system	/etc/hostname	ama-logs-gqs28	container-hostname
hostPath volume used	kube-system	/var/log	ama-logs-gqs28	host-log
hostPath volume used	kube-system	/var/run/mdsd-ci	ama-logs-gqs28	mdsd-sock
hostPath volume used	kube-system	/var/lib/docker/containers	ama-logs-gqs28	containerlog-path
hostPath volume used	kube-system	/mnt/docker	ama-logs-gqs28	containerlog-path-2
hostPath volume used	kube-system	/mnt/containers	ama-logs-gqs28	containerlog-path-3
hostPath volume used	kube-system	/etc/kubernetes	ama-logs-gqs28	azure-json-path
hostPath volume used	kube-system	/	ama-logs-ndxrw	host-root
hostPath volume used	kube-system	/etc/hostname	ama-logs-ndxrw	container-hostname
hostPath volume used	kube-system	/var/log	ama-logs-ndxrw	host-log
hostPath volume used	kube-system	/var/run/mdsd-ci	ama-logs-ndxrw	mdsd-sock
hostPath volume used	kube-system	/var/lib/docker/containers	ama-logs-ndxrw	containerlog-path
hostPath volume used	kube-system	/mnt/docker	ama-logs-ndxrw	containerlog-path-2
hostPath volume used	kube-system	/mnt/containers	ama-logs-ndxrw	containerlog-path-3
hostPath volume used	kube-system	/etc/kubernetes	ama-logs-ndxrw	azure-json-path
hostPath volume used	kube-system	/etc/hostname	ama-logs-rs-64765bd4b9-ldxwl	container-hostname
hostPath volume used	kube-system	/var/log	ama-logs-rs-64765bd4b9-ldxwl	host-log
hostPath volume used	kube-system	/etc/kubernetes	ama-logs-rs-64765bd4b9-ldxwl	azure-json-path
hostPath volume used	kube-system	/var/log/containers	ama-metrics-7f878d975f-hlggb	host-log-containers
hostPath volume used	kube-system	/var/log/pods	ama-metrics-7f878d975f-hlggb	host-log-pods
hostPath volume used	kube-system	/etc/pki/ca-trust/anchors/	ama-metrics-7f878d975f-hlggb	anchors-mariner
hostPath volume used	kube-system	/usr/local/share/ca-certificates/	ama-metrics-7f878d975f-hlggb	anchors-ubuntu
hostPath volume used	kube-system	/var/log/containers	ama-metrics-7f878d975f-q2mlg	host-log-containers
hostPath volume used	kube-system	/var/log/pods	ama-metrics-7f878d975f-q2mlg	host-log-pods
hostPath volume used	kube-system	/etc/pki/ca-trust/anchors/	ama-metrics-7f878d975f-q2mlg	anchors-mariner
hostPath volume used	kube-system	/usr/local/share/ca-certificates/	ama-metrics-7f878d975f-q2mlg	anchors-ubuntu
hostPath volume used	kube-system	/var/log/containers	ama-metrics-node-2ssrw	host-log-containers
hostPath volume used	kube-system	/var/log/pods	ama-metrics-node-2ssrw	host-log-pods
hostPath volume used	kube-system	/etc/pki/ca-trust/anchors/	ama-metrics-node-2ssrw	anchors-mariner
hostPath volume used	kube-system	/usr/local/share/ca-certificates/	ama-metrics-node-2ssrw	anchors-ubuntu
hostPath volume used	kube-system	/var/log/containers	ama-metrics-node-6kkz8	host-log-containers
hostPath volume used	kube-system	/var/log/pods	ama-metrics-node-6kkz8	host-log-pods
hostPath volume used	kube-system	/etc/pki/ca-trust/anchors/	ama-metrics-node-6kkz8	anchors-mariner
hostPath volume used	kube-system	/usr/local/share/ca-certificates/	ama-metrics-node-6kkz8	anchors-ubuntu
hostPath volume used	kube-system	/var/log/containers	ama-metrics-node-9h44h	host-log-containers
hostPath volume used	kube-system	/var/log/pods	ama-metrics-node-9h44h	host-log-pods
hostPath volume used	kube-system	/etc/pki/ca-trust/anchors/	ama-metrics-node-9h44h	anchors-mariner
hostPath volume used	kube-system	/usr/local/share/ca-certificates/	ama-metrics-node-9h44h	anchors-ubuntu
hostPath volume used	kube-system	/var/log/containers	ama-metrics-node-lhk42	host-log-containers
hostPath volume used	kube-system	/var/log/pods	ama-metrics-node-lhk42	host-log-pods
hostPath volume used	kube-system	/etc/pki/ca-trust/anchors/	ama-metrics-node-lhk42	anchors-mariner
hostPath volume used	kube-system	/usr/local/share/ca-certificates/	ama-metrics-node-lhk42	anchors-ubuntu
hostPath volume used	kube-system	/var/log/containers	ama-metrics-node-nm5bf	host-log-containers
hostPath volume used	kube-system	/var/log/pods	ama-metrics-node-nm5bf	host-log-pods
hostPath volume used	kube-system	/etc/pki/ca-trust/anchors/	ama-metrics-node-nm5bf	anchors-mariner
hostPath volume used	kube-system	/usr/local/share/ca-certificates/	ama-metrics-node-nm5bf	anchors-ubuntu
hostPath volume used	kube-system	/var/log/containers	ama-metrics-node-pqcz5	host-log-containers
hostPath volume used	kube-system	/var/log/pods	ama-metrics-node-pqcz5	host-log-pods
hostPath volume used	kube-system	/etc/pki/ca-trust/anchors/	ama-metrics-node-pqcz5	anchors-mariner
hostPath volume used	kube-system	/usr/local/share/ca-certificates/	ama-metrics-node-pqcz5	anchors-ubuntu
hostPath volume used	kube-system	/run/xtables.lock	azure-ip-masq-agent-4522j	iptableslock
hostPath volume used	kube-system	/run/xtables.lock	azure-ip-masq-agent-4c7cr	iptableslock
hostPath volume used	kube-system	/run/xtables.lock	azure-ip-masq-agent-78rnw	iptableslock
hostPath volume used	kube-system	/run/xtables.lock	azure-ip-masq-agent-84ltn	iptableslock
hostPath volume used	kube-system	/run/xtables.lock	azure-ip-masq-agent-t4c2w	iptableslock
hostPath volume used	kube-system	/run/xtables.lock	azure-ip-masq-agent-vbdd8	iptableslock
hostPath volume used	kube-system	/var/log	azure-npm-jsbbh	log
hostPath volume used	kube-system	/run/xtables.lock	azure-npm-jsbbh	xtables-lock
hostPath volume used	kube-system	/etc/protocols	azure-npm-jsbbh	protocols
hostPath volume used	kube-system	/var/log	azure-npm-lp6sf	log
hostPath volume used	kube-system	/run/xtables.lock	azure-npm-lp6sf	xtables-lock
hostPath volume used	kube-system	/etc/protocols	azure-npm-lp6sf	protocols
hostPath volume used	kube-system	/var/log	azure-npm-nv6xx	log
hostPath volume used	kube-system	/run/xtables.lock	azure-npm-nv6xx	xtables-lock
hostPath volume used	kube-system	/etc/protocols	azure-npm-nv6xx	protocols
hostPath volume used	kube-system	/var/log	azure-npm-p6fpw	log
hostPath volume used	kube-system	/run/xtables.lock	azure-npm-p6fpw	xtables-lock
hostPath volume used	kube-system	/etc/protocols	azure-npm-p6fpw	protocols
hostPath volume used	kube-system	/var/log	azure-npm-vsrfp	log
hostPath volume used	kube-system	/run/xtables.lock	azure-npm-vsrfp	xtables-lock
hostPath volume used	kube-system	/etc/protocols	azure-npm-vsrfp	protocols
hostPath volume used	kube-system	/var/log	azure-npm-z8mcz	log
hostPath volume used	kube-system	/run/xtables.lock	azure-npm-z8mcz	xtables-lock
hostPath volume used	kube-system	/etc/protocols	azure-npm-z8mcz	protocols
hostPath volume used	kube-system	/etc/kubernetes/azure.json	azure-policy-698f7c86b4-nnff2	acs-credential
hostPath volume used	kube-system	/etc/ssl/certs	azure-policy-698f7c86b4-nnff2	ca-certs
hostPath volume used	kube-system	/etc/pki/ca-trust/extracted	azure-policy-698f7c86b4-nnff2	etc-pki-ca-certs
hostPath volume used	kube-system	/run/xtables.lock	kube-proxy-26xkd	iptableslock
hostPath volume used	kube-system	/etc/sysctl.d	kube-proxy-26xkd	sysctls
hostPath volume used	kube-system	/lib/modules	kube-proxy-26xkd	modules
hostPath volume used	kube-system	/run/xtables.lock	kube-proxy-6mrql	iptableslock
hostPath volume used	kube-system	/etc/sysctl.d	kube-proxy-6mrql	sysctls
hostPath volume used	kube-system	/lib/modules	kube-proxy-6mrql	modules
hostPath volume used	kube-system	/run/xtables.lock	kube-proxy-9rbxf	iptableslock
hostPath volume used	kube-system	/etc/sysctl.d	kube-proxy-9rbxf	sysctls
hostPath volume used	kube-system	/lib/modules	kube-proxy-9rbxf	modules
hostPath volume used	kube-system	/run/xtables.lock	kube-proxy-njzgk	iptableslock
hostPath volume used	kube-system	/etc/sysctl.d	kube-proxy-njzgk	sysctls
hostPath volume used	kube-system	/lib/modules	kube-proxy-njzgk	modules
hostPath volume used	kube-system	/run/xtables.lock	kube-proxy-rvmxl	iptableslock
hostPath volume used	kube-system	/etc/sysctl.d	kube-proxy-rvmxl	sysctls
hostPath volume used	kube-system	/lib/modules	kube-proxy-rvmxl	modules
hostPath volume used	kube-system	/run/xtables.lock	kube-proxy-vp7xj	iptableslock
hostPath volume used	kube-system	/etc/sysctl.d	kube-proxy-vp7xj	sysctls
hostPath volume used	kube-system	/lib/modules	kube-proxy-vp7xj	modules
hostPath volume used	kube-system	/var/log	microsoft-defender-collector-ds-6xdfq	host-log
hostPath volume used	kube-system	/sys/kernel	microsoft-defender-collector-ds-6xdfq	debugfs
hostPath volume used	kube-system	/lib/modules	microsoft-defender-collector-ds-6xdfq	modules
hostPath volume used	kube-system	/usr/src	microsoft-defender-collector-ds-6xdfq	usr-src
hostPath volume used	kube-system	/run/containerd/containerd.sock	microsoft-defender-collector-ds-6xdfq	containerd-file-sock
hostPath volume used	kube-system	/proc	microsoft-defender-collector-ds-6xdfq	proc
hostPath volume used	kube-system	/bin	microsoft-defender-collector-ds-6xdfq	bin
hostPath volume used	kube-system	/etc	microsoft-defender-collector-ds-6xdfq	etc
hostPath volume used	kube-system	/opt	microsoft-defender-collector-ds-6xdfq	opt
hostPath volume used	kube-system	/usr	microsoft-defender-collector-ds-6xdfq	usr
hostPath volume used	kube-system	/run	microsoft-defender-collector-ds-6xdfq	run
hostPath volume used	kube-system	/sys/fs/bpf	microsoft-defender-collector-ds-6xdfq	bpffs
hostPath volume used	kube-system	/var/log	microsoft-defender-collector-ds-89l74	host-log
hostPath volume used	kube-system	/sys/kernel	microsoft-defender-collector-ds-89l74	debugfs
hostPath volume used	kube-system	/lib/modules	microsoft-defender-collector-ds-89l74	modules
hostPath volume used	kube-system	/usr/src	microsoft-defender-collector-ds-89l74	usr-src
hostPath volume used	kube-system	/run/containerd/containerd.sock	microsoft-defender-collector-ds-89l74	containerd-file-sock
hostPath volume used	kube-system	/proc	microsoft-defender-collector-ds-89l74	proc
hostPath volume used	kube-system	/bin	microsoft-defender-collector-ds-89l74	bin
hostPath volume used	kube-system	/etc	microsoft-defender-collector-ds-89l74	etc
hostPath volume used	kube-system	/opt	microsoft-defender-collector-ds-89l74	opt
hostPath volume used	kube-system	/usr	microsoft-defender-collector-ds-89l74	usr
hostPath volume used	kube-system	/run	microsoft-defender-collector-ds-89l74	run
hostPath volume used	kube-system	/sys/fs/bpf	microsoft-defender-collector-ds-89l74	bpffs
hostPath volume used	kube-system	/var/log	microsoft-defender-collector-ds-d7gwk	host-log
hostPath volume used	kube-system	/sys/kernel	microsoft-defender-collector-ds-d7gwk	debugfs
hostPath volume used	kube-system	/lib/modules	microsoft-defender-collector-ds-d7gwk	modules
hostPath volume used	kube-system	/usr/src	microsoft-defender-collector-ds-d7gwk	usr-src
hostPath volume used	kube-system	/run/containerd/containerd.sock	microsoft-defender-collector-ds-d7gwk	containerd-file-sock
hostPath volume used	kube-system	/proc	microsoft-defender-collector-ds-d7gwk	proc
hostPath volume used	kube-system	/bin	microsoft-defender-collector-ds-d7gwk	bin
hostPath volume used	kube-system	/etc	microsoft-defender-collector-ds-d7gwk	etc
hostPath volume used	kube-system	/opt	microsoft-defender-collector-ds-d7gwk	opt
hostPath volume used	kube-system	/usr	microsoft-defender-collector-ds-d7gwk	usr
hostPath volume used	kube-system	/run	microsoft-defender-collector-ds-d7gwk	run
hostPath volume used	kube-system	/sys/fs/bpf	microsoft-defender-collector-ds-d7gwk	bpffs
hostPath volume used	kube-system	/var/log	microsoft-defender-collector-ds-mdcs8	host-log
hostPath volume used	kube-system	/sys/kernel	microsoft-defender-collector-ds-mdcs8	debugfs
hostPath volume used	kube-system	/lib/modules	microsoft-defender-collector-ds-mdcs8	modules
hostPath volume used	kube-system	/usr/src	microsoft-defender-collector-ds-mdcs8	usr-src
hostPath volume used	kube-system	/run/containerd/containerd.sock	microsoft-defender-collector-ds-mdcs8	containerd-file-sock
hostPath volume used	kube-system	/proc	microsoft-defender-collector-ds-mdcs8	proc
hostPath volume used	kube-system	/bin	microsoft-defender-collector-ds-mdcs8	bin
hostPath volume used	kube-system	/etc	microsoft-defender-collector-ds-mdcs8	etc
hostPath volume used	kube-system	/opt	microsoft-defender-collector-ds-mdcs8	opt
hostPath volume used	kube-system	/usr	microsoft-defender-collector-ds-mdcs8	usr
hostPath volume used	kube-system	/run	microsoft-defender-collector-ds-mdcs8	run
hostPath volume used	kube-system	/sys/fs/bpf	microsoft-defender-collector-ds-mdcs8	bpffs
hostPath volume used	kube-system	/var/log	microsoft-defender-collector-ds-q6d6c	host-log
hostPath volume used	kube-system	/sys/kernel	microsoft-defender-collector-ds-q6d6c	debugfs
hostPath volume used	kube-system	/lib/modules	microsoft-defender-collector-ds-q6d6c	modules
hostPath volume used	kube-system	/usr/src	microsoft-defender-collector-ds-q6d6c	usr-src
hostPath volume used	kube-system	/run/containerd/containerd.sock	microsoft-defender-collector-ds-q6d6c	containerd-file-sock
hostPath volume used	kube-system	/proc	microsoft-defender-collector-ds-q6d6c	proc
hostPath volume used	kube-system	/bin	microsoft-defender-collector-ds-q6d6c	bin
hostPath volume used	kube-system	/etc	microsoft-defender-collector-ds-q6d6c	etc
hostPath volume used	kube-system	/opt	microsoft-defender-collector-ds-q6d6c	opt
hostPath volume used	kube-system	/usr	microsoft-defender-collector-ds-q6d6c	usr
hostPath volume used	kube-system	/run	microsoft-defender-collector-ds-q6d6c	run
hostPath volume used	kube-system	/sys/fs/bpf	microsoft-defender-collector-ds-q6d6c	bpffs
hostPath volume used	kube-system	/var/log	microsoft-defender-collector-ds-wb5dm	host-log
hostPath volume used	kube-system	/sys/kernel	microsoft-defender-collector-ds-wb5dm	debugfs
hostPath volume used	kube-system	/lib/modules	microsoft-defender-collector-ds-wb5dm	modules
hostPath volume used	kube-system	/usr/src	microsoft-defender-collector-ds-wb5dm	usr-src
hostPath volume used	kube-system	/run/containerd/containerd.sock	microsoft-defender-collector-ds-wb5dm	containerd-file-sock
hostPath volume used	kube-system	/proc	microsoft-defender-collector-ds-wb5dm	proc
hostPath volume used	kube-system	/bin	microsoft-defender-collector-ds-wb5dm	bin
hostPath volume used	kube-system	/etc	microsoft-defender-collector-ds-wb5dm	etc
hostPath volume used	kube-system	/opt	microsoft-defender-collector-ds-wb5dm	opt
hostPath volume used	kube-system	/usr	microsoft-defender-collector-ds-wb5dm	usr
hostPath volume used	kube-system	/run	microsoft-defender-collector-ds-wb5dm	run
hostPath volume used	kube-system	/sys/fs/bpf	microsoft-defender-collector-ds-wb5dm	bpffs
hostPath volume used	kube-system	/var/log	microsoft-defender-collector-misc-7df6776447-bcbph	host-log
hostPath volume used	kube-system	/var/microsoft/microsoft-defender-for-cloud	microsoft-defender-publisher-ds-2ql5b	cert-onboarding
hostPath volume used	kube-system	/	microsoft-defender-publisher-ds-2ql5b	host-root
hostPath volume used	kube-system	/var/run	microsoft-defender-publisher-ds-2ql5b	docker-sock
hostPath volume used	kube-system	/etc/hostname	microsoft-defender-publisher-ds-2ql5b	container-hostname
hostPath volume used	kube-system	/var/log	microsoft-defender-publisher-ds-2ql5b	host-log
hostPath volume used	kube-system	/etc/kubernetes	microsoft-defender-publisher-ds-2ql5b	azure-json-path
hostPath volume used	kube-system	/var/microsoft/microsoft-defender-for-cloud	microsoft-defender-publisher-ds-2rsrw	cert-onboarding
hostPath volume used	kube-system	/	microsoft-defender-publisher-ds-2rsrw	host-root
hostPath volume used	kube-system	/var/run	microsoft-defender-publisher-ds-2rsrw	docker-sock
hostPath volume used	kube-system	/etc/hostname	microsoft-defender-publisher-ds-2rsrw	container-hostname
hostPath volume used	kube-system	/var/log	microsoft-defender-publisher-ds-2rsrw	host-log
hostPath volume used	kube-system	/etc/kubernetes	microsoft-defender-publisher-ds-2rsrw	azure-json-path
hostPath volume used	kube-system	/var/microsoft/microsoft-defender-for-cloud	microsoft-defender-publisher-ds-jj6dh	cert-onboarding
hostPath volume used	kube-system	/	microsoft-defender-publisher-ds-jj6dh	host-root
hostPath volume used	kube-system	/var/run	microsoft-defender-publisher-ds-jj6dh	docker-sock
hostPath volume used	kube-system	/etc/hostname	microsoft-defender-publisher-ds-jj6dh	container-hostname
hostPath volume used	kube-system	/var/log	microsoft-defender-publisher-ds-jj6dh	host-log
hostPath volume used	kube-system	/etc/kubernetes	microsoft-defender-publisher-ds-jj6dh	azure-json-path
hostPath volume used	kube-system	/var/microsoft/microsoft-defender-for-cloud	microsoft-defender-publisher-ds-l5crs	cert-onboarding
hostPath volume used	kube-system	/	microsoft-defender-publisher-ds-l5crs	host-root
hostPath volume used	kube-system	/var/run	microsoft-defender-publisher-ds-l5crs	docker-sock
hostPath volume used	kube-system	/etc/hostname	microsoft-defender-publisher-ds-l5crs	container-hostname
hostPath volume used	kube-system	/var/log	microsoft-defender-publisher-ds-l5crs	host-log
hostPath volume used	kube-system	/etc/kubernetes	microsoft-defender-publisher-ds-l5crs	azure-json-path
hostPath volume used	kube-system	/var/microsoft/microsoft-defender-for-cloud	microsoft-defender-publisher-ds-lfk8h	cert-onboarding
hostPath volume used	kube-system	/	microsoft-defender-publisher-ds-lfk8h	host-root
hostPath volume used	kube-system	/var/run	microsoft-defender-publisher-ds-lfk8h	docker-sock
hostPath volume used	kube-system	/etc/hostname	microsoft-defender-publisher-ds-lfk8h	container-hostname
hostPath volume used	kube-system	/var/log	microsoft-defender-publisher-ds-lfk8h	host-log
hostPath volume used	kube-system	/etc/kubernetes	microsoft-defender-publisher-ds-lfk8h	azure-json-path
hostPath volume used	kube-system	/var/microsoft/microsoft-defender-for-cloud	microsoft-defender-publisher-ds-vz2c6	cert-onboarding
hostPath volume used	kube-system	/	microsoft-defender-publisher-ds-vz2c6	host-root
hostPath volume used	kube-system	/var/run	microsoft-defender-publisher-ds-vz2c6	docker-sock
hostPath volume used	kube-system	/etc/hostname	microsoft-defender-publisher-ds-vz2c6	container-hostname
hostPath volume used	kube-system	/var/log	microsoft-defender-publisher-ds-vz2c6	host-log
hostPath volume used	kube-system	/etc/kubernetes	microsoft-defender-publisher-ds-vz2c6	azure-json-path
hostPath volume used	kube-system	/sys/kernel/debug	retina-agent-9g44d	debug
hostPath volume used	kube-system	/sys/kernel/tracing	retina-agent-9g44d	trace
hostPath volume used	kube-system	/sys/fs/bpf	retina-agent-9g44d	bpf
hostPath volume used	kube-system	/sys/fs/cgroup	retina-agent-9g44d	cgroup
hostPath volume used	kube-system	/var/run/cilium	retina-agent-9g44d	cilium
hostPath volume used	kube-system	/sys/kernel/debug	retina-agent-d6wf4	debug
hostPath volume used	kube-system	/sys/kernel/tracing	retina-agent-d6wf4	trace
hostPath volume used	kube-system	/sys/fs/bpf	retina-agent-d6wf4	bpf
hostPath volume used	kube-system	/sys/fs/cgroup	retina-agent-d6wf4	cgroup
hostPath volume used	kube-system	/var/run/cilium	retina-agent-d6wf4	cilium
hostPath volume used	kube-system	/sys/kernel/debug	retina-agent-gj4r5	debug
hostPath volume used	kube-system	/sys/kernel/tracing	retina-agent-gj4r5	trace
hostPath volume used	kube-system	/sys/fs/bpf	retina-agent-gj4r5	bpf
hostPath volume used	kube-system	/sys/fs/cgroup	retina-agent-gj4r5	cgroup
hostPath volume used	kube-system	/var/run/cilium	retina-agent-gj4r5	cilium
hostPath volume used	kube-system	/sys/kernel/debug	retina-agent-rndzh	debug
hostPath volume used	kube-system	/sys/kernel/tracing	retina-agent-rndzh	trace
hostPath volume used	kube-system	/sys/fs/bpf	retina-agent-rndzh	bpf
hostPath volume used	kube-system	/sys/fs/cgroup	retina-agent-rndzh	cgroup
hostPath volume used	kube-system	/var/run/cilium	retina-agent-rndzh	cilium
hostPath volume used	kube-system	/sys/kernel/debug	retina-agent-szggl	debug
hostPath volume used	kube-system	/sys/kernel/tracing	retina-agent-szggl	trace
hostPath volume used	kube-system	/sys/fs/bpf	retina-agent-szggl	bpf
hostPath volume used	kube-system	/sys/fs/cgroup	retina-agent-szggl	cgroup
hostPath volume used	kube-system	/var/run/cilium	retina-agent-szggl	cilium
hostPath volume used	kube-system	/sys/kernel/debug	retina-agent-t68m8	debug
hostPath volume used	kube-system	/sys/kernel/tracing	retina-agent-t68m8	trace
hostPath volume used	kube-system	/sys/fs/bpf	retina-agent-t68m8	bpf
hostPath volume used	kube-system	/sys/fs/cgroup	retina-agent-t68m8	cgroup
hostPath volume used	kube-system	/var/run/cilium	retina-agent-t68m8	cilium

SEC011 - Containers Running as UID 0 iDetects containers explicitly set to run as user 0 (root).

⚠️ Total Pods with Issues: 13

Show Findings

Recommendations

Set runAsUser to a non-root user ID.
Use runAsNonRoot: true for validation.

Container	Issue	Namespace	Pod
provider-azure-installer	Container runs as UID 0	kube-system	aks-secrets-store-provider-azure-68nhw
provider-azure-installer	Container runs as UID 0	kube-system	aks-secrets-store-provider-azure-7bqmn
provider-azure-installer	Container runs as UID 0	kube-system	aks-secrets-store-provider-azure-7r458
provider-azure-installer	Container runs as UID 0	kube-system	aks-secrets-store-provider-azure-k9tdc
provider-azure-installer	Container runs as UID 0	kube-system	aks-secrets-store-provider-azure-n952g
provider-azure-installer	Container runs as UID 0	kube-system	aks-secrets-store-provider-azure-njpqh
azure-policy	Container runs as UID 0	kube-system	azure-policy-698f7c86b4-nnff2
retina	Container runs as UID 0	kube-system	retina-agent-9g44d
retina	Container runs as UID 0	kube-system	retina-agent-d6wf4
retina	Container runs as UID 0	kube-system	retina-agent-gj4r5
retina	Container runs as UID 0	kube-system	retina-agent-rndzh
retina	Container runs as UID 0	kube-system	retina-agent-szggl
retina	Container runs as UID 0	kube-system	retina-agent-t68m8

SEC012 - Added Linux Capabilities iFlags containers that add extra Linux capabilities using securityContext.capabilities.add.

⚠️ Total Pods with Issues: 70

Show Findings

Recommendations

Review and remove unnecessary capabilities.
Default to dropping all, then selectively add only what's needed.

Capabilities	Container	Issue	Namespace	Pod
NET_BIND_SERVICE	controller	Added Linux capabilities	app-routing-system	nginx-69fcb489fd-4wgk9
NET_BIND_SERVICE	controller	Added Linux capabilities	app-routing-system	nginx-69fcb489fd-64v6k
DAC_OVERRIDE	ama-logs	Added Linux capabilities	kube-system	ama-logs-4v8mz
DAC_OVERRIDE	ama-logs-prometheus	Added Linux capabilities	kube-system	ama-logs-4v8mz
DAC_OVERRIDE	ama-logs	Added Linux capabilities	kube-system	ama-logs-5vr2w
DAC_OVERRIDE	ama-logs-prometheus	Added Linux capabilities	kube-system	ama-logs-5vr2w
DAC_OVERRIDE	ama-logs	Added Linux capabilities	kube-system	ama-logs-fmd7b
DAC_OVERRIDE	ama-logs-prometheus	Added Linux capabilities	kube-system	ama-logs-fmd7b
DAC_OVERRIDE	ama-logs	Added Linux capabilities	kube-system	ama-logs-fpkw6
DAC_OVERRIDE	ama-logs-prometheus	Added Linux capabilities	kube-system	ama-logs-fpkw6
DAC_OVERRIDE	ama-logs	Added Linux capabilities	kube-system	ama-logs-gqs28
DAC_OVERRIDE	ama-logs-prometheus	Added Linux capabilities	kube-system	ama-logs-gqs28
DAC_OVERRIDE	ama-logs	Added Linux capabilities	kube-system	ama-logs-ndxrw
DAC_OVERRIDE	ama-logs-prometheus	Added Linux capabilities	kube-system	ama-logs-ndxrw
DAC_OVERRIDE	ama-logs	Added Linux capabilities	kube-system	ama-logs-rs-64765bd4b9-ldxwl
DAC_OVERRIDE	prometheus-collector	Added Linux capabilities	kube-system	ama-metrics-7f878d975f-hlggb
NET_ADMIN, NET_RAW	addon-token-adapter	Added Linux capabilities	kube-system	ama-metrics-7f878d975f-hlggb
DAC_OVERRIDE	prometheus-collector	Added Linux capabilities	kube-system	ama-metrics-7f878d975f-q2mlg
NET_ADMIN, NET_RAW	addon-token-adapter	Added Linux capabilities	kube-system	ama-metrics-7f878d975f-q2mlg
DAC_OVERRIDE	prometheus-collector	Added Linux capabilities	kube-system	ama-metrics-node-2ssrw
NET_ADMIN, NET_RAW	addon-token-adapter	Added Linux capabilities	kube-system	ama-metrics-node-2ssrw
DAC_OVERRIDE	prometheus-collector	Added Linux capabilities	kube-system	ama-metrics-node-6kkz8
NET_ADMIN, NET_RAW	addon-token-adapter	Added Linux capabilities	kube-system	ama-metrics-node-6kkz8
DAC_OVERRIDE	prometheus-collector	Added Linux capabilities	kube-system	ama-metrics-node-9h44h
NET_ADMIN, NET_RAW	addon-token-adapter	Added Linux capabilities	kube-system	ama-metrics-node-9h44h
DAC_OVERRIDE	prometheus-collector	Added Linux capabilities	kube-system	ama-metrics-node-lhk42
NET_ADMIN, NET_RAW	addon-token-adapter	Added Linux capabilities	kube-system	ama-metrics-node-lhk42
DAC_OVERRIDE	prometheus-collector	Added Linux capabilities	kube-system	ama-metrics-node-nm5bf
NET_ADMIN, NET_RAW	addon-token-adapter	Added Linux capabilities	kube-system	ama-metrics-node-nm5bf
DAC_OVERRIDE	prometheus-collector	Added Linux capabilities	kube-system	ama-metrics-node-pqcz5
NET_ADMIN, NET_RAW	addon-token-adapter	Added Linux capabilities	kube-system	ama-metrics-node-pqcz5
NET_ADMIN, NET_RAW	azure-ip-masq-agent	Added Linux capabilities	kube-system	azure-ip-masq-agent-4522j
NET_ADMIN, NET_RAW	azure-ip-masq-agent	Added Linux capabilities	kube-system	azure-ip-masq-agent-4c7cr
NET_ADMIN, NET_RAW	azure-ip-masq-agent	Added Linux capabilities	kube-system	azure-ip-masq-agent-78rnw
NET_ADMIN, NET_RAW	azure-ip-masq-agent	Added Linux capabilities	kube-system	azure-ip-masq-agent-84ltn
NET_ADMIN, NET_RAW	azure-ip-masq-agent	Added Linux capabilities	kube-system	azure-ip-masq-agent-t4c2w
NET_ADMIN, NET_RAW	azure-ip-masq-agent	Added Linux capabilities	kube-system	azure-ip-masq-agent-vbdd8
NET_ADMIN, NET_RAW	azure-npm	Added Linux capabilities	kube-system	azure-npm-jsbbh
NET_ADMIN, NET_RAW	azure-npm	Added Linux capabilities	kube-system	azure-npm-lp6sf
NET_ADMIN, NET_RAW	azure-npm	Added Linux capabilities	kube-system	azure-npm-nv6xx
NET_ADMIN, NET_RAW	azure-npm	Added Linux capabilities	kube-system	azure-npm-p6fpw
NET_ADMIN, NET_RAW	azure-npm	Added Linux capabilities	kube-system	azure-npm-vsrfp
NET_ADMIN, NET_RAW	azure-npm	Added Linux capabilities	kube-system	azure-npm-z8mcz
NET_BIND_SERVICE	coredns	Added Linux capabilities	kube-system	coredns-658d6d767d-757xp
NET_BIND_SERVICE	coredns	Added Linux capabilities	kube-system	coredns-658d6d767d-pt6l6
NET_RAW, NET_ADMIN	microsoft-defender-pod-collector	Added Linux capabilities	kube-system	microsoft-defender-collector-ds-6xdfq
SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW	microsoft-defender-low-level-collector	Added Linux capabilities	kube-system	microsoft-defender-collector-ds-6xdfq
NET_RAW, NET_ADMIN	microsoft-defender-pod-collector	Added Linux capabilities	kube-system	microsoft-defender-collector-ds-89l74
SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW	microsoft-defender-low-level-collector	Added Linux capabilities	kube-system	microsoft-defender-collector-ds-89l74
NET_RAW, NET_ADMIN	microsoft-defender-pod-collector	Added Linux capabilities	kube-system	microsoft-defender-collector-ds-d7gwk
SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW	microsoft-defender-low-level-collector	Added Linux capabilities	kube-system	microsoft-defender-collector-ds-d7gwk
NET_RAW, NET_ADMIN	microsoft-defender-pod-collector	Added Linux capabilities	kube-system	microsoft-defender-collector-ds-mdcs8
SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW	microsoft-defender-low-level-collector	Added Linux capabilities	kube-system	microsoft-defender-collector-ds-mdcs8
NET_RAW, NET_ADMIN	microsoft-defender-pod-collector	Added Linux capabilities	kube-system	microsoft-defender-collector-ds-q6d6c
SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW	microsoft-defender-low-level-collector	Added Linux capabilities	kube-system	microsoft-defender-collector-ds-q6d6c
NET_RAW, NET_ADMIN	microsoft-defender-pod-collector	Added Linux capabilities	kube-system	microsoft-defender-collector-ds-wb5dm
SYS_ADMIN, SYS_RESOURCE, SYS_PTRACE, SYSLOG, IPC_LOCK, NET_ADMIN, NET_RAW	microsoft-defender-low-level-collector	Added Linux capabilities	kube-system	microsoft-defender-collector-ds-wb5dm
NET_RAW, NET_ADMIN	microsoft-defender-pod-collector	Added Linux capabilities	kube-system	microsoft-defender-collector-misc-7df6776447-bcbph
NET_RAW, NET_ADMIN	microsoft-defender-publisher	Added Linux capabilities	kube-system	microsoft-defender-publisher-ds-2ql5b
NET_RAW, NET_ADMIN	microsoft-defender-publisher	Added Linux capabilities	kube-system	microsoft-defender-publisher-ds-2rsrw
NET_RAW, NET_ADMIN	microsoft-defender-publisher	Added Linux capabilities	kube-system	microsoft-defender-publisher-ds-jj6dh
NET_RAW, NET_ADMIN	microsoft-defender-publisher	Added Linux capabilities	kube-system	microsoft-defender-publisher-ds-l5crs
NET_RAW, NET_ADMIN	microsoft-defender-publisher	Added Linux capabilities	kube-system	microsoft-defender-publisher-ds-lfk8h
NET_RAW, NET_ADMIN	microsoft-defender-publisher	Added Linux capabilities	kube-system	microsoft-defender-publisher-ds-vz2c6
SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK	retina	Added Linux capabilities	kube-system	retina-agent-9g44d
SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK	retina	Added Linux capabilities	kube-system	retina-agent-d6wf4
SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK	retina	Added Linux capabilities	kube-system	retina-agent-gj4r5
SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK	retina	Added Linux capabilities	kube-system	retina-agent-rndzh
SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK	retina	Added Linux capabilities	kube-system	retina-agent-szggl
SYS_ADMIN, SYS_RESOURCE, NET_ADMIN, NET_RAW, IPC_LOCK	retina	Added Linux capabilities	kube-system	retina-agent-t68m8

SEC013 - EmptyDir Volume Usage iEmptyDir volumes are ephemeral and cleared on pod restart. Use only if data persistence is not needed.

⚠️ Total Pods with Issues: 98

Show Findings

Recommendations

Audit use of EmptyDir volumes in production workloads.
Replace with PVCs or other managed storage if persistence is needed.

Issue	Namespace	Pod	Volume
EmptyDir volume used	aks-istio-ingress	aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4	workload-socket
EmptyDir volume used	aks-istio-ingress	aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4	credential-socket
EmptyDir volume used	aks-istio-ingress	aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4	workload-certs
EmptyDir volume used	aks-istio-ingress	aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4	istio-envoy
EmptyDir volume used	aks-istio-ingress	aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-hdfn4	istio-data
EmptyDir volume used	aks-istio-ingress	aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb	workload-socket
EmptyDir volume used	aks-istio-ingress	aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb	credential-socket
EmptyDir volume used	aks-istio-ingress	aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb	workload-certs
EmptyDir volume used	aks-istio-ingress	aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb	istio-envoy
EmptyDir volume used	aks-istio-ingress	aks-istio-ingressgateway-external-asm-1-23-59bd5fbf44-zqwtb	istio-data
EmptyDir volume used	aks-istio-system	istiod-asm-1-23-7744d5fbf4-9572m	local-certs
EmptyDir volume used	aks-istio-system	istiod-asm-1-23-7744d5fbf4-rqzvt	local-certs
EmptyDir volume used	argocd	argocd-application-controller-0	argocd-home
EmptyDir volume used	argocd	argocd-application-controller-0	argocd-application-controller-tmp
EmptyDir volume used	argocd	argocd-applicationset-controller-6fdf84dbb6-msffz	gpg-keyring
EmptyDir volume used	argocd	argocd-applicationset-controller-6fdf84dbb6-msffz	tmp
EmptyDir volume used	argocd	argocd-dex-server-556c76889-h4kxj	static-files
EmptyDir volume used	argocd	argocd-dex-server-556c76889-h4kxj	dexconfig
EmptyDir volume used	argocd	argocd-redis-ha-haproxy-fb657456c-kjbkq	shared-socket
EmptyDir volume used	argocd	argocd-redis-ha-haproxy-fb657456c-kjbkq	data
EmptyDir volume used	argocd	argocd-redis-ha-haproxy-fb657456c-kjlpf	shared-socket
EmptyDir volume used	argocd	argocd-redis-ha-haproxy-fb657456c-kjlpf	data
EmptyDir volume used	argocd	argocd-redis-ha-haproxy-fb657456c-tnjmb	shared-socket
EmptyDir volume used	argocd	argocd-redis-ha-haproxy-fb657456c-tnjmb	data
EmptyDir volume used	argocd	argocd-redis-ha-server-0	data
EmptyDir volume used	argocd	argocd-redis-ha-server-1	data
EmptyDir volume used	argocd	argocd-redis-ha-server-2	data
EmptyDir volume used	argocd	argocd-repo-server-8568fc89b5-sx6ks	gpg-keyring
EmptyDir volume used	argocd	argocd-repo-server-8568fc89b5-sx6ks	tmp
EmptyDir volume used	argocd	argocd-repo-server-8568fc89b5-sx6ks	helm-working-dir
EmptyDir volume used	argocd	argocd-repo-server-8568fc89b5-sx6ks	var-files
EmptyDir volume used	argocd	argocd-repo-server-8568fc89b5-sx6ks	plugins
EmptyDir volume used	argocd	argocd-repo-server-8568fc89b5-xrzzn	gpg-keyring
EmptyDir volume used	argocd	argocd-repo-server-8568fc89b5-xrzzn	tmp
EmptyDir volume used	argocd	argocd-repo-server-8568fc89b5-xrzzn	helm-working-dir
EmptyDir volume used	argocd	argocd-repo-server-8568fc89b5-xrzzn	var-files
EmptyDir volume used	argocd	argocd-repo-server-8568fc89b5-xrzzn	plugins
EmptyDir volume used	argocd	argocd-server-c5b86c885-2zqmx	plugins-home
EmptyDir volume used	argocd	argocd-server-c5b86c885-2zqmx	tmp
EmptyDir volume used	argocd	argocd-server-c5b86c885-zlzd5	plugins-home
EmptyDir volume used	argocd	argocd-server-c5b86c885-zlzd5	tmp
EmptyDir volume used	gatekeeper-system	gatekeeper-audit-77858c8f69-7k782	tmp-volume
EmptyDir volume used	kiali-operator	kiali-operator-696bd54db-mr8md	tmp
EmptyDir volume used	kube-system	ama-logs-4v8mz	mdsd-prometheus-sock
EmptyDir volume used	kube-system	ama-logs-5vr2w	mdsd-prometheus-sock
EmptyDir volume used	kube-system	ama-logs-fmd7b	mdsd-prometheus-sock
EmptyDir volume used	kube-system	ama-logs-fpkw6	mdsd-prometheus-sock
EmptyDir volume used	kube-system	ama-logs-gqs28	mdsd-prometheus-sock
EmptyDir volume used	kube-system	ama-logs-ndxrw	mdsd-prometheus-sock
EmptyDir volume used	kube-system	ama-metrics-operator-targets-66fb46c8d6-vskdg	ta-config-shared
EmptyDir volume used	kube-system	azure-npm-jsbbh	tmp
EmptyDir volume used	kube-system	azure-npm-lp6sf	tmp
EmptyDir volume used	kube-system	azure-npm-nv6xx	tmp
EmptyDir volume used	kube-system	azure-npm-p6fpw	tmp
EmptyDir volume used	kube-system	azure-npm-vsrfp	tmp
EmptyDir volume used	kube-system	azure-npm-z8mcz	tmp
EmptyDir volume used	kube-system	coredns-658d6d767d-757xp	tmp
EmptyDir volume used	kube-system	coredns-658d6d767d-pt6l6	tmp
EmptyDir volume used	kube-system	metrics-server-5f9ccffcc4-jsrjl	tmp-dir
EmptyDir volume used	kube-system	metrics-server-5f9ccffcc4-v88pw	tmp-dir
EmptyDir volume used	kube-system	microsoft-defender-collector-ds-6xdfq	ebpf
EmptyDir volume used	kube-system	microsoft-defender-collector-ds-89l74	ebpf
EmptyDir volume used	kube-system	microsoft-defender-collector-ds-d7gwk	ebpf
EmptyDir volume used	kube-system	microsoft-defender-collector-ds-mdcs8	ebpf
EmptyDir volume used	kube-system	microsoft-defender-collector-ds-q6d6c	ebpf
EmptyDir volume used	kube-system	microsoft-defender-collector-ds-wb5dm	ebpf
EmptyDir volume used	kube-system	microsoft-defender-publisher-ds-2ql5b	fluent-bit-conf
EmptyDir volume used	kube-system	microsoft-defender-publisher-ds-2rsrw	fluent-bit-conf
EmptyDir volume used	kube-system	microsoft-defender-publisher-ds-jj6dh	fluent-bit-conf
EmptyDir volume used	kube-system	microsoft-defender-publisher-ds-l5crs	fluent-bit-conf
EmptyDir volume used	kube-system	microsoft-defender-publisher-ds-lfk8h	fluent-bit-conf
EmptyDir volume used	kube-system	microsoft-defender-publisher-ds-vz2c6	fluent-bit-conf
EmptyDir volume used	kube-system	retina-agent-9g44d	tmp
EmptyDir volume used	kube-system	retina-agent-d6wf4	tmp
EmptyDir volume used	kube-system	retina-agent-gj4r5	tmp
EmptyDir volume used	kube-system	retina-agent-rndzh	tmp
EmptyDir volume used	kube-system	retina-agent-szggl	tmp
EmptyDir volume used	kube-system	retina-agent-t68m8	tmp
EmptyDir volume used	pets	order-service-6c5bfb6946-b58xq	workload-socket
EmptyDir volume used	pets	order-service-6c5bfb6946-b58xq	credential-socket
EmptyDir volume used	pets	order-service-6c5bfb6946-b58xq	workload-certs
EmptyDir volume used	pets	order-service-6c5bfb6946-b58xq	istio-envoy
EmptyDir volume used	pets	order-service-6c5bfb6946-b58xq	istio-data
EmptyDir volume used	pets	product-service-5dd87dfb8-ssfxc	workload-socket
EmptyDir volume used	pets	product-service-5dd87dfb8-ssfxc	credential-socket
EmptyDir volume used	pets	product-service-5dd87dfb8-ssfxc	workload-certs
EmptyDir volume used	pets	product-service-5dd87dfb8-ssfxc	istio-envoy
EmptyDir volume used	pets	product-service-5dd87dfb8-ssfxc	istio-data
EmptyDir volume used	pets	rabbitmq-0	workload-socket
EmptyDir volume used	pets	rabbitmq-0	credential-socket
EmptyDir volume used	pets	rabbitmq-0	workload-certs
EmptyDir volume used	pets	rabbitmq-0	istio-envoy
EmptyDir volume used	pets	rabbitmq-0	istio-data
EmptyDir volume used	pets	store-front-658994fd95-pk9qn	workload-socket
EmptyDir volume used	pets	store-front-658994fd95-pk9qn	credential-socket
EmptyDir volume used	pets	store-front-658994fd95-pk9qn	workload-certs
EmptyDir volume used	pets	store-front-658994fd95-pk9qn	istio-envoy
EmptyDir volume used	pets	store-front-658994fd95-pk9qn	istio-data

SEC014 - Untrusted Image Registries iFlags images that are not pulled from approved registries.

⚠️ Total Pods with Issues: 15

Show Findings

Recommendations

Use approved internal or vendor-verified registries.
Restrict image pull policies using Gatekeeper or admission plugins.

Container	Image	Issue	Namespace	Pod
webserver-simple	docker.io/kostiscodefresh/gitops-simple-app:v1.0	Image from untrusted registry	argo-rollouts	simple-deployment-74fd649f8d-996vt
webserver-simple	docker.io/kostiscodefresh/gitops-simple-app:v1.0	Image from untrusted registry	argo-workflows	simple-deployment-74fd649f8d-24t56
webserver-simple	docker.io/kostiscodefresh/gitops-simple-app:v1.0	Image from untrusted registry	cert-manager	simple-deployment-74fd649f8d-7cht8
webserver-simple	docker.io/kostiscodefresh/gitops-simple-app:v1.0	Image from untrusted registry	grafana	simple-deployment-74fd649f8d-l7wrd
kiali	quay.io/kiali/kiali:v2.7.1	Image from untrusted registry	kiali-operator	kiali-5b88cfb6f8-cm8dz
operator	quay.io/kiali/kiali-operator:v2.7.1	Image from untrusted registry	kiali-operator	kiali-operator-696bd54db-mr8md
webserver-simple	docker.io/kostiscodefresh/gitops-simple-app:v1.0	Image from untrusted registry	kubeview	simple-deployment-74fd649f8d-qxp2r
webserver-simple	docker.io/kostiscodefresh/gitops-simple-app:v1.0	Image from untrusted registry	linkerd	simple-deployment-74fd649f8d-mkmst
webserver-simple	docker.io/kostiscodefresh/gitops-simple-app:v1.0	Image from untrusted registry	nginx	simple-deployment-74fd649f8d-hlcdk
order-service	ghcr.io/azure-samples/aks-store-demo/order-service:latest	Image from untrusted registry	pets	order-service-6c5bfb6946-b58xq
product-service	ghcr.io/azure-samples/aks-store-demo/product-service:latest	Image from untrusted registry	pets	product-service-5dd87dfb8-ssfxc
store-front	ghcr.io/azure-samples/aks-store-demo/store-front:latest	Image from untrusted registry	pets	store-front-658994fd95-pk9qn
webserver-simple	docker.io/kostiscodefresh/gitops-simple-app:v1.0	Image from untrusted registry	prometheus	simple-deployment-74fd649f8d-2x6w5
webserver-simple	docker.io/kostiscodefresh/gitops-simple-app:v1.0	Image from untrusted registry	sealed-secrets	simple-deployment-74fd649f8d-stktp
webserver-simple	docker.io/kostiscodefresh/gitops-simple-app:v1.0	Image from untrusted registry	test	simple-deployment-74fd649f8d-lhlkx

SEC015 - Pods Using Default ServiceAccount iFlags pods using the default service account, which may have broad permissions.

⚠️ Total Pods with Issues: 20

Show Findings

Recommendations

Create and bind a custom ServiceAccount per application.
Avoid using the default ServiceAccount unless absolutely necessary.

Issue	Namespace	Pod	ServiceAccount
Using default ServiceAccount	argo-rollouts	simple-deployment-74fd649f8d-996vt	default
Using default ServiceAccount	argo-workflows	simple-deployment-74fd649f8d-24t56	default
Using default ServiceAccount	cert-manager	simple-deployment-74fd649f8d-7cht8	default
Using default ServiceAccount	grafana	simple-deployment-74fd649f8d-l7wrd	default
Using default ServiceAccount	kube-system	azure-ip-masq-agent-4522j	default
Using default ServiceAccount	kube-system	azure-ip-masq-agent-4c7cr	default
Using default ServiceAccount	kube-system	azure-ip-masq-agent-78rnw	default
Using default ServiceAccount	kube-system	azure-ip-masq-agent-84ltn	default
Using default ServiceAccount	kube-system	azure-ip-masq-agent-t4c2w	default
Using default ServiceAccount	kube-system	azure-ip-masq-agent-vbdd8	default
Using default ServiceAccount	kubeview	simple-deployment-74fd649f8d-qxp2r	default
Using default ServiceAccount	linkerd	simple-deployment-74fd649f8d-mkmst	default
Using default ServiceAccount	nginx	simple-deployment-74fd649f8d-hlcdk	default
Using default ServiceAccount	pets	order-service-6c5bfb6946-b58xq	default
Using default ServiceAccount	pets	product-service-5dd87dfb8-ssfxc	default
Using default ServiceAccount	pets	rabbitmq-0	default
Using default ServiceAccount	pets	store-front-658994fd95-pk9qn	default
Using default ServiceAccount	prometheus	simple-deployment-74fd649f8d-2x6w5	default
Using default ServiceAccount	sealed-secrets	simple-deployment-74fd649f8d-stktp	default
Using default ServiceAccount	test	simple-deployment-74fd649f8d-lhlkx	default

SEC016 - Non-Existent Secret References iFlags pods referencing Secrets that do not exist. This may cause runtime failures.

⚠️ Total Pods with Issues: 33

Show Findings

Recommendations

Check envFrom, secretKeyRef, and volume.secret.secretName references.
Create missing Secrets or remove invalid references.

Issue	Namespace	Pod	Secret	Volume
Missing secret reference in volume	aks-istio-system	istiod-asm-1-23-7744d5fbf4-9572m	cacerts	cacerts
Missing secret reference in volume	aks-istio-system	istiod-asm-1-23-7744d5fbf4-9572m	istio-kubeconfig	istio-kubeconfig
Missing secret reference in volume	aks-istio-system	istiod-asm-1-23-7744d5fbf4-9572m	istiod-tls	istio-csr-dns-cert
Missing secret reference in volume	aks-istio-system	istiod-asm-1-23-7744d5fbf4-rqzvt	cacerts	cacerts
Missing secret reference in volume	aks-istio-system	istiod-asm-1-23-7744d5fbf4-rqzvt	istio-kubeconfig	istio-kubeconfig
Missing secret reference in volume	aks-istio-system	istiod-asm-1-23-7744d5fbf4-rqzvt	istiod-tls	istio-csr-dns-cert
Missing secret reference in volume	argocd	argocd-application-controller-0	argocd-repo-server-tls	argocd-repo-server-tls
Missing secret reference in volume	argocd	argocd-applicationset-controller-6fdf84dbb6-msffz	argocd-repo-server-tls	argocd-repo-server-tls
Missing secret reference in volume	argocd	argocd-dex-server-556c76889-h4kxj	argocd-dex-server-tls	argocd-dex-server-tls
Missing secret reference in volume	argocd	argocd-notifications-controller-6ff6bf8dd6-nbktr	argocd-repo-server-tls	argocd-repo-server-tls
Missing secret reference in volume	argocd	argocd-repo-server-8568fc89b5-sx6ks	argocd-repo-server-tls	argocd-repo-server-tls
Missing secret reference in volume	argocd	argocd-repo-server-8568fc89b5-xrzzn	argocd-repo-server-tls	argocd-repo-server-tls
Missing secret reference in volume	argocd	argocd-server-c5b86c885-2zqmx	argocd-repo-server-tls	argocd-repo-server-tls
Missing secret reference in volume	argocd	argocd-server-c5b86c885-2zqmx	argocd-dex-server-tls	argocd-dex-server-tls
Missing secret reference in volume	argocd	argocd-server-c5b86c885-zlzd5	argocd-repo-server-tls	argocd-repo-server-tls
Missing secret reference in volume	argocd	argocd-server-c5b86c885-zlzd5	argocd-dex-server-tls	argocd-dex-server-tls
Missing secret reference in volume	kiali-operator	kiali-5b88cfb6f8-cm8dz	kiali	kiali-secret
Missing secret reference in volume	kube-system	ama-logs-4v8mz	ama-logs-adx-secret	ama-logs-adx-secret
Missing secret reference in volume	kube-system	ama-logs-5vr2w	ama-logs-adx-secret	ama-logs-adx-secret
Missing secret reference in volume	kube-system	ama-logs-fmd7b	ama-logs-adx-secret	ama-logs-adx-secret
Missing secret reference in volume	kube-system	ama-logs-fpkw6	ama-logs-adx-secret	ama-logs-adx-secret
Missing secret reference in volume	kube-system	ama-logs-gqs28	ama-logs-adx-secret	ama-logs-adx-secret
Missing secret reference in volume	kube-system	ama-logs-ndxrw	ama-logs-adx-secret	ama-logs-adx-secret
Missing secret reference in volume	kube-system	ama-logs-rs-64765bd4b9-ldxwl	ama-logs-adx-secret	ama-logs-adx-secret
Missing secret reference in volume	kube-system	ama-metrics-7f878d975f-hlggb	ama-metrics-mtls-secret	ama-metrics-tls-secret-volume
Missing secret reference in volume	kube-system	ama-metrics-7f878d975f-q2mlg	ama-metrics-mtls-secret	ama-metrics-tls-secret-volume
Missing secret reference in volume	kube-system	ama-metrics-node-2ssrw	ama-metrics-mtls-secret	ama-metrics-tls-secret-volume
Missing secret reference in volume	kube-system	ama-metrics-node-6kkz8	ama-metrics-mtls-secret	ama-metrics-tls-secret-volume
Missing secret reference in volume	kube-system	ama-metrics-node-9h44h	ama-metrics-mtls-secret	ama-metrics-tls-secret-volume
Missing secret reference in volume	kube-system	ama-metrics-node-lhk42	ama-metrics-mtls-secret	ama-metrics-tls-secret-volume
Missing secret reference in volume	kube-system	ama-metrics-node-nm5bf	ama-metrics-mtls-secret	ama-metrics-tls-secret-volume
Missing secret reference in volume	kube-system	ama-metrics-node-pqcz5	ama-metrics-mtls-secret	ama-metrics-tls-secret-volume
Missing secret reference in volume	kube-system	ama-metrics-operator-targets-66fb46c8d6-vskdg	ama-metrics-mtls-secret	ama-metrics-tls-secret-volume

Kubernetes Warning Events

EVENT001 - Grouped Warning Events iGroups recent Warning events by Reason and Message.

✅ All Events are healthy.

EVENT002 - Full Warning Event Log iLists all recent Warning events in the cluster.

✅ All Events are healthy.

AKS Best Practices

AKS Best Practices Summary

✅ Passed: 33

❌ Failed: 5

📊 Total Checks: 38

🎯 Score: 86.84%

⭐ Rating: B

AKS Best Practices Results

Show Findings

ID	Check	Severity	Category	Status	Fail Message	Recommendation	URL
AKSBP001	Allowed Container Images Policy Enforcement	High	Best Practices	❌ FAIL	The 'Only Allowed Images' policy is either missing or not enforcing deny mode, increasing the risk of running untrusted images.	Deploy and enforce the 'Only Allowed Images' policy with deny mode to restrict unapproved images.	Learn More
AKSBP002	No Privileged Containers Policy Enforcement	High	Best Practices	❌ FAIL	The 'No Privileged Containers' policy is either missing or not enforcing deny mode, allowing potentially insecure workloads.	Deploy and enforce the 'No Privileged Containers' policy in deny mode to block privileged containers and enhance security.	Learn More
AKSRES002	AKS Built-in Cost Tooling Enabled	Medium	Resource Management	❌ FAIL	AKS built-in cost tooling (Open Costs) is not enabled, making cost allocation and optimization harder.	Enable cost analysis in the AKS metrics profile to gain insights into resource spending and optimize cost management.	Learn More
AKSSEC001	Private Cluster	High	Security	❌ FAIL	Cluster API server is publicly accessible, increasing security risks.	Configure the cluster as a private cluster to restrict API server access to your virtual network.	Learn More
AKSSEC08	Pod Security Admission Enabled	High	Security	❌ FAIL	Pod Security Admission is not enabled on this cluster. This may reduce baseline pod security.	Enable Pod Security Admission by setting 'podSecurityAdmissionConfiguration' during cluster creation or via supported upgrade path.	Learn More
AKSBP011	System Node Pool Minimum Size	High	Best Practices	✅ PASS		System Node Pool Minimum Size is enabled.	Learn More
AKSBP010	Customized MC_ Resource Group Name	Medium	Best Practices	✅ PASS		Customized MC_ Resource Group Name is enabled.	Learn More
AKSBP009	Node OS Upgrade Channel Configured	Medium	Best Practices	✅ PASS		Node OS Upgrade Channel Configured is enabled.	Learn More
AKSBP007	System Node Pool Taint	High	Best Practices	✅ PASS		System Node Pool Taint is enabled.	Learn More
AKSBP006	Non-Ephemeral Disks with Adequate Size	Medium	Best Practices	✅ PASS		Non-Ephemeral Disks with Adequate Size is enabled.	Learn More
AKSBP005	Ephemeral OS Disks Enabled	Medium	Best Practices	✅ PASS		Ephemeral OS Disks Enabled is enabled.	Learn More
AKSBP004	Azure Linux as Host OS	High	Best Practices	✅ PASS		Azure Linux as Host OS is enabled.	Learn More
AKSBP003	Multiple Node Pools	Medium	Best Practices	✅ PASS		Multiple Node Pools is enabled.	Learn More
AKSBP012	Node Pool Version Matches Control Plane	Medium	Best Practices	✅ PASS		Node Pool Version Matches Control Plane is enabled.	Learn More
AKSBP008	Auto Upgrade Channel Configured	Medium	Best Practices	✅ PASS		Auto Upgrade Channel Configured is enabled.	Learn More
AKSDR001	Agent Pools with Availability Zones	High	Disaster Recovery	✅ PASS		Agent Pools with Availability Zones is enabled.	Learn More
AKSDR002	Control Plane SLA	Medium	Disaster Recovery	✅ PASS		Control Plane SLA is enabled.	Learn More
AKSIAM001	RBAC Enabled	High	Identity & Access	✅ PASS		RBAC Enabled is enabled.	Learn More
AKSIAM002	Managed Identity	High	Identity & Access	✅ PASS		Managed Identity is enabled.	Learn More
AKSIAM003	Workload Identity Enabled	Medium	Identity & Access	✅ PASS		Workload Identity Enabled is enabled.	Learn More
AKSIAM004	Managed Identity Used	High	Identity & Access	✅ PASS		Managed Identity Used is enabled.	Learn More
AKSIAM005	AAD RBAC Authorization Integrated	High	Identity & Access	✅ PASS		AAD RBAC Authorization Integrated is enabled.	Learn More
AKSIAM006	AAD Managed Authentication Enabled	High	Identity & Access	✅ PASS		AAD Managed Authentication Enabled is enabled.	Learn More
AKSIAM007	Local Accounts Disabled	High	Identity & Access	✅ PASS		Local Accounts Disabled is enabled.	Learn More
AKSMON001	Azure Monitor	High	Monitoring & Logging	✅ PASS		Azure Monitor is enabled.	Learn More
AKSMON002	Managed Prometheus Enabled	High	Monitoring & Logging	✅ PASS		Managed Prometheus Enabled is enabled.	Learn More
AKSNET002	Network Policy Check	Medium	Networking	✅ PASS		Network Policy Check is enabled.	Learn More
AKSNET004	Azure CNI Networking Recommended	Medium	Networking	✅ PASS		Azure CNI Networking Recommended is enabled.	Learn More
AKSNET003	Web App Routing Enabled	Low	Networking	✅ PASS		Web App Routing Enabled is enabled.	Learn More
AKSNET001	Authorized IP Ranges	High	Networking	✅ PASS		Authorized IP Ranges is enabled.	Learn More
AKSRES001	Cluster Autoscaler	Medium	Resource Management	✅ PASS		Cluster Autoscaler is enabled.	Learn More
AKSRES003	Vertical Pod Autoscaler (VPA) is enabled	Medium	Resource Management	✅ PASS		Vertical Pod Autoscaler (VPA) is enabled is enabled.	Learn More
AKSSEC007	Kubernetes Dashboard Disabled	High	Security	✅ PASS		Kubernetes Dashboard Disabled is enabled.	Learn More
AKSSEC002	Azure Policy Add-on	Medium	Security	✅ PASS		Azure Policy Add-on is enabled.	Learn More
AKSSEC003	Defender for Containers	High	Security	✅ PASS		Defender for Containers is enabled.	Learn More
AKSSEC004	OIDC Issuer Enabled	Medium	Security	✅ PASS		OIDC Issuer Enabled is enabled.	Learn More
AKSSEC005	Azure Key Vault Integration	High	Security	✅ PASS		Azure Key Vault Integration is enabled.	Learn More
AKSSEC006	Image Cleaner Enabled	Medium	Security	✅ PASS		Image Cleaner Enabled is enabled.	Learn More

Menu

Cluster Overview

Cluster Health Score

API Server Health

Passed / Failed Checks

Cluster Summary

Cluster Metrics Summary iSummary of metrics including node and pod counts, warnings, and issues.

Pod Distribution iAverage, min, and max pods per node and total node count.

Resource Usage iCluster-wide CPU and memory usage.

Cluster Events iSummary of recent warning and error events.

Node Conditions & Resources

NODE001 - Node Readiness and Conditions iDetects nodes that are not in Ready state or reporting other warning conditions.

NODE002 - Node Resource Pressure iDetects nodes under high CPU, memory, or disk pressure.

Namespaces

NS001 - Empty Namespaces iFinds namespaces with no running pods.

NS002 - Missing or Weak ResourceQuotas iDetects namespaces with missing or incomplete ResourceQuota definitions.

NS003 - Missing LimitRanges iDetects namespaces without a defined LimitRange.

Workloads

WRK001 - DaemonSets Not Fully Running iDetects DaemonSets that have fewer running pods than desired.

WRK002 - Deployment Missing Replicas iDetects Deployments where the number of available replicas is less than desired.

WRK003 - StatefulSet Incomplete Rollout iDetects StatefulSets where the number of ready replicas is less than the desired count.

WRK004 - HPA Misconfiguration or Inactivity iChecks for HPAs that have missing targets, no metrics, or inactive scaling.

WRK005 - Missing Resource Requests or Limits iChecks for containers that are missing CPU or memory resource requests or limits.

WRK006 - PDB Coverage and Effectiveness iDetects missing or weak PDBs for workloads

WRK007 - Missing Readiness and Liveness Probes iDetects containers without health probes (readiness/liveness).

WRK008 - Deployment Selector Without Matching Pods iDetects Deployments whose spec.selector does not match any existing Pods. This results in 0 replicas running.

Pods

POD001 - Pods with High Restarts iDetects pods that have restarted more than the defined threshold.

POD002 - Long Running Pods iFlags pods that have been running longer than configured thresholds.

POD003 - Failed Pods iDetects pods in a failed phase, typically due to startup errors, crashes, or misconfiguration.

POD004 - Pending Pods iDetects pods stuck in a 'Pending' state due to scheduling or resource issues.

POD005 - CrashLoopBackOff Pods iIdentifies pods stuck in a CrashLoopBackOff state due to repeated container crashes.

POD006 - Leftover Debug Pods iDetects pods created by 'kubectl debug' that haven't been cleaned up.

POD007 - Container images do not use latest tag iFlags containers using the 'latest' tag in their image, which can cause unpredictable upgrades.

🛠️ Use Specific Image Tags

Jobs

JOB001 - Stuck Kubernetes Jobs iFinds Jobs that have started but not completed within a threshold.

JOB002 - Failed Kubernetes Jobs iDetects jobs with failures and no successful completions.

Networking

NET001 - Services Without Endpoints iIdentifies services that have no backing endpoints, which means no pods are matched.

🔍 Services Without Endpoints

NET002 - Publicly Accessible Services iDetects services of type LoadBalancer or NodePort that are potentially exposed to the internet.

🌐 Secure Exposed Services

NET003 - Ingress Health Validation iValidates ingress definitions for missing classes, invalid backends, missing TLS secrets, duplicate host/path entries, and incorrect path types.

NET004 - Namespace Missing Network Policy iDetects namespaces that have running pods but no associated NetworkPolicy resources. This could allow unrestricted pod-to-pod communication.

Storage

PVC001 - Unused Persistent Volume Claims iDetects PVCs not attached to any pod.

Configuration Hygiene

CFG001 - Orphaned ConfigMaps iDetects ConfigMaps that are not referenced by any pod, workload, service, or ingress.

🛠️ Clean Up Orphaned ConfigMaps

CFG002 - Duplicate ConfigMap Names iDetects ConfigMaps with identical names across different namespaces.

🛠️ Fix Duplicate ConfigMap Names

CFG003 - Large ConfigMaps iFinds ConfigMaps larger than 1 MiB, which may impact performance or exceed platform limits.

Security

RBAC001 - RBAC Misconfigurations iDetects invalid roleRefs, missing roles, orphaned service accounts, and incorrect subject namespaces in RoleBindings and ClusterRoleBindings.

🔐 RBAC Misconfiguration Fixes

RBAC002 - RBAC Overexposure iIdentifies dangerous RBAC grants such as cluster-admin, wildcard permissions, and sensitive resource access in roles and bindings.

🔐 RBAC Hardening Tips

RBAC003 - Orphaned ServiceAccounts iFinds ServiceAccounts not used by any pods or referenced in RoleBindings or ClusterRoleBindings.

🧾 Remove Orphaned ServiceAccounts

RBAC004 - Orphaned and Ineffective Roles iFlags Roles and ClusterRoles that are unused, lack subjects, or define no rules.

🗂️ Clean up Unused or Ineffective RBAC

SEC001 - Orphaned Secrets iDetects Secrets not used by any workloads, ingresses, service accounts, or known custom resources.

🔐 Orphaned Secrets Cleanup

SEC002 - Pods using hostPID or hostNetwork iFlags pods that share the host's PID or network namespace, which can compromise isolation and node security.

⚠️ Avoid Host-Level Sharing

SEC003 - Pods Running as Root iDetects pods running with UID 0 or no explicit runAsUser setting (defaults to root).

🔐 RunAsUser Hardening

SEC004 - Privileged Containers iDetects containers running with privileged mode enabled.

🚫 Disable Privileged Containers

SEC005 - Pods Using hostIPC iDetects pods that use hostIPC, which can compromise pod isolation and allow access to shared memory on the host.

SEC006 - Pods Missing Secure Defaults iChecks if pods are missing recommended securityContext fields such as runAsNonRoot, readOnlyRootFilesystem, or allowPrivilegeEscalation.

SEC007 - Missing Pod Security Admission Labels iChecks if namespaces are missing the 'pod-security.kubernetes.io/enforce' label required for Pod Security Admission enforcement.

SEC008 - Secrets in Environment Variables iDetects secrets injected into pods via environment variables using env.valueFrom.secretKeyRef. `n This makes secrets easier to leak through logs or /proc inspection.

SEC009 - Missing Capabilities Drop iChecks containers that don't drop all Linux capabilities via securityContext.capabilities.drop = ['ALL'].

SEC010 - HostPath Volume Usage iFlags pods that use hostPath volumes, which mount parts of the host filesystem. This bypasses isolation and can be dangerous if misused.

SEC011 - Containers Running as UID 0 iDetects containers explicitly set to run as user 0 (root).

SEC012 - Added Linux Capabilities iFlags containers that add extra Linux capabilities using securityContext.capabilities.add.

SEC013 - EmptyDir Volume Usage iEmptyDir volumes are ephemeral and cleared on pod restart. Use only if data persistence is not needed.

SEC014 - Untrusted Image Registries iFlags images that are not pulled from approved registries.