Docker 容器最佳安全实践
测试工具
Docker Bench for Security
基于CIS Docker Benchmark v1.3.1规范的,用于自动化巡检在生产环境中运行Docker容器的数十种常见的最佳实践的脚本
当前版本所检测的选项,一共7项
1) 常规配置
2) Docker守护程序配置
3) Docker守护程序配置文件
4) 容器镜像和构建文件
5) 容器运行时
6) Docker安全运行方式
7) Docker Swarm配置
检测结果分为4种状态
PASS 通过
INFO 信息输出
WARN 警告
NOTE 请注意
其中【WARN】是需要改进的,【PASS】表示通过检测,【INFO】项的话,看需要是否进行调整
主机安全配置
主要针对容器相关守护进程、文件和目录添加审计。
以下列出了目前需要整改的问题
[WARN] 1.1.1 - Ensure a separate partition for containers has been created (Automated)
[WARN] 1.1.3 - Ensure auditing is configured for the Docker daemon (Automated)
[WARN] 1.1.4 - Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)
[WARN] 1.1.5 - Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)
[WARN] 1.1.6 - Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)
[WARN] 1.1.7 - Ensure auditing is configured for Docker files and directories - docker.service (Automated)
[WARN] 1.1.9 - Ensure auditing is configured for Docker files and directories - docker.socket (Automated)
[WARN] 1.1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)
[WARN] 1.1.11 - Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)
-
建议为容器创建了单独的分区
-
建议为容器守护进程、配置等添加审计
docker守护进程配置
主要针对容器相关守护进程参数配置。
以下列出了目前需要整改的问题
[WARN] 2.2 - Ensure network traffic is restricted between containers on the default bridge (Scored)
[INFO] 2.7 - Ensure TLS authentication for Docker daemon is configured (Scored)
[INFO] * Docker daemon not listening on TCP
[INFO] 2.8 - Ensure the default ulimit is configured appropriately (Manual)
[INFO] * Default ulimit doesn't appear to be set
[WARN] 2.9 - Enable user namespace support (Scored)
[WARN] 2.12 - Ensure that authorization for Docker client commands is enabled (Scored)
[WARN] 2.13 - Ensure centralized and remote logging is configured (Scored)
[WARN] 2.14 - Ensure containers are restricted from acquiring new privileges (Scored)
[WARN] 2.15 - Ensure live restore is enabled (Scored)
[WARN] 2.16 - Ensure Userland Proxy is Disabled (Scored)
- 建议限制默认网桥上容器之间的网络流量,默认网桥上同主机上的所有容器之间启用不受限制的网络通
信,可能会导致意外和不必要的信息泄露给其他容器。 - 建议为守护进程添加TLS身份验证,避免任何有权访问该端口或套接字的人都可以完全访问docker 守护进程
- 建议配置合适的 ulimit,避免过度消耗系统资源
- 建议启用用户命名空间,可以Docker主机系统提供了额外的安全性。
- 建议启用docker客户端命令的授权,任何有权访问docker 守护程序的用户都可以运行任何 docker客户端命令,可能存在安全隐患;
- 建议配置集中和远程日志记录;
- 建议限制容器获取新的权限,确保进程或其子进程不会通过 suid 或 sgid位获得任何其他特权
- 建议开启实时恢复,可确保docker守护进程不可用时,容器执行不会中断;
- 建议禁用userland代理,端口转发建议使用DNAT而不是userland-proxy;
docker守护程序文件配置
主要针对守护程序文件配置。
以下列出了目前需要整改的问题
[WARN] 3.1 - Ensure that the docker.service file ownership is set to root:root (Automated)
[WARN] * Wrong ownership for /lib/systemd/system/docker.service
[WARN] 3.3 - Ensure that docker.socket file ownership is set to root:root (Automated)
[WARN] * Wrong ownership for /lib/systemd/system/docker.socket
[WARN] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated)
[WARN] * Wrong permissions for /etc/docker/certs.d/
[INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root (Automated)
[INFO] * No TLS CA certificate found
[INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated)
[INFO] * No TLS CA certificate found
[INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root (Automated)
[INFO] * No TLS Server certificate found
[INFO] 3.12 - Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated)
[INFO] * No TLS Server certificate found
[INFO] 3.13 - Ensure that the Docker server certificate key file ownership is set to root:root (Automated)
[INFO] * No TLS Key found
[INFO] 3.14 - Ensure that the Docker server certificate key file permissions are set to 400 (Automated)
[INFO] * No TLS Key found
[WARN] 3.19 - Ensure that the /etc/default/docker file ownership is set to root:root (Automated)
[WARN] * Wrong ownership for /etc/default/docker
[INFO] 3.20 - Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)
[INFO] * File not found
[INFO] 3.21 - Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated)
[INFO] * File not found
[INFO] 3.23 - Ensure that the Containerd socket file ownership is set to root:root (Automated)
[INFO] * File not found
[INFO] 3.24 - Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)
[INFO] * File not found
- 建议设置docker相关文件所有权为root:root且文件权限为644、660、444
容器镜像和构建文件
主要针对容器镜像和构建文件。
以下列出了目前需要整改的问题
[WARN] 4.1 - Ensure that a user for the container has been created (Automated)
[WARN] * Running as root: k8s_ks-account_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_1
[WARN] * Running as root: k8s_POD_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * Running as root: k8s_POD_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_3
[WARN] * Running as root: k8s_rules-configmap-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Running as root: k8s_prometheus-config-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Running as root: k8s_rules-configmap-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Running as root: k8s_prometheus_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_2
[WARN] * Running as root: k8s_prometheus-config-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Running as root: k8s_POD_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Running as root: k8s_prometheus_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_2
[WARN] * Running as root: k8s_POD_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * Running as root: k8s_POD_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Running as root: k8s_istio-proxy_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_1
[WARN] * Running as root: k8s_influxdb_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_1
[WARN] * Running as root: k8s_mixer_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_9
[WARN] * Running as root: k8s_POD_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_3
[WARN] * Running as root: k8s_ks-controller-manager_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_1
[WARN] * Running as root: k8s_POD_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_3
[WARN] * Running as root: k8s_logsidecar-injector_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_1
[WARN] * Running as root: k8s_POD_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_6
[WARN] * Running as root: k8s_POD_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_2
[WARN] * Running as root: k8s_POD_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_5
[WARN] * Running as root: k8s_POD_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_3
[WARN] * Running as root: k8s_config-reloader_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * Running as root: k8s_istio-proxy_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_3
[WARN] * Running as root: k8s_fluent-bit_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * Running as root: k8s_discovery_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_1
[WARN] * Running as root: k8s_POD_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_2
[WARN] * Running as root: k8s_POD_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_2
[WARN] * Running as root: k8s_POD_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_2
[WARN] * Running as root: k8s_POD_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_4
[WARN] * Running as root: k8s_ovs-cni-marker_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] * Running as root: k8s_kube-flannel_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * Running as root: k8s_kube-multus_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * Running as root: k8s_POD_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * Running as root: k8s_POD_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * Running as root: k8s_POD_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * Running as root: k8s_POD_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] 4.5 - Ensure Content trust for Docker is Enabled (Automated)
[WARN] 4.6 - Ensure that HEALTHCHECK instructions have been added to container images (Automated)
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/ks-console:v2.1.0]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/ks-apigateway:v2.1.0]
[WARN] * No Healthcheck found: [hub.linx.com/k8s-ingress-controller/nginx-ingress-controller:0.33.0]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/prometheus:v2.30.3]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/ks-account:v2.1.0]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/ks-apiserver:v2.1.0]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/ks-controller-manager:v2.1.0]
[WARN] * No Healthcheck found: [hub.linx.com/k8s/ovs-cni-plugin:latest]
[WARN] * No Healthcheck found: [hub.linx.com/k8s/ovs-cni-marker:latest]
[WARN] * No Healthcheck found: [hub.linx.com/k8s/multus:v3.6]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/fluentbit-operator:v2.1.0]
[WARN] * No Healthcheck found: [hub.linx.com/harbor/busybox:latest]
[WARN] * No Healthcheck found: [hub.linx.com/harbor/notary-signer-photon:v1.10.2]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/fluent-bit:v1.3.2-reload]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/kubectl:v1.0.0]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/sidecar-injector:1.3.3]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/proxyv2:1.3.3]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/pilot:1.3.3]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/mixer:1.3.3]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/kubectl:1.3.3]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/galley:1.3.3]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/citadel:1.3.3]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/log-sidecar-injector:1.0]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/openldap:1.3.0]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/elasticsearch-oss:6.7.0-1]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/redis:5.0.5-alpine]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/nginx-ingress-controller:0.25.1]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/prometheus-operator:v0.27.1]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/jaeger-operator:1.13.1]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/jaeger-query:1.13]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/jaeger-collector:1.13]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/jaeger-agent:1.13]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/kube-state-metrics:v1.5.2]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/kibana-oss:6.7.0]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/node-exporter:ks-v0.16.0]
[WARN] * No Healthcheck found: [hub.linx.com/k8s/flannel:v0.11.0-amd64]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/kube-rbac-proxy:v0.4.1]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/prometheus-config-reloader:v0.27.1]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/addon-resizer:1.8.4]
[WARN] * No Healthcheck found: [hub.linx.com/k8s-ingress-controller/defaultbackend-amd64:1.5]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/metrics-server-amd64:v0.3.1]
[WARN] * No Healthcheck found: [hub.linx.com/k8s/heapster-influxdb-amd64:v1.5.2]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/docker-elasticsearch-curator:5.5.4]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/busybox:1.28.4]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/defaultbackend-amd64:1.4]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/nfs-client-provisioner:latest]
[WARN] * No Healthcheck found: [hub.linx.com/lxcms/configmap-reload:v0.0.1]
[WARN] * No Healthcheck found: [hub.linx.com/k8s/pause-amd64:3.0]
[INFO] 4.7 - Ensure update instructions are not used alone in the Dockerfile (Manual)
[INFO] * Update instruction found: [hub.linx.com/lxcms/ks-apigateway:v2.1.0]
[INFO] * Update instruction found: [hub.linx.com/k8s-ingress-controller/nginx-ingress-controller:0.33.0]
[INFO] * Update instruction found: [hub.linx.com/lxcms/ks-account:v2.1.0]
[INFO] * Update instruction found: [hub.linx.com/lxcms/ks-apiserver:v2.1.0]
[INFO] * Update instruction found: [hub.linx.com/lxcms/ks-controller-manager:v2.1.0]
[INFO] * Update instruction found: [hub.linx.com/lxcms/kubectl:v1.0.0]
[INFO] * Update instruction found: [hub.linx.com/lxcms/sidecar-injector:1.3.3]
[INFO] * Update instruction found: [hub.linx.com/lxcms/proxyv2:1.3.3]
[INFO] * Update instruction found: [hub.linx.com/lxcms/pilot:1.3.3]
[INFO] * Update instruction found: [hub.linx.com/lxcms/kubectl:1.3.3]
[INFO] * Update instruction found: [hub.linx.com/lxcms/galley:1.3.3]
[INFO] * Update instruction found: [hub.linx.com/lxcms/citadel:1.3.3]
[INFO] * Update instruction found: [hub.linx.com/lxcms/elasticsearch-oss:6.7.0-1]
[INFO] * Update instruction found: [hub.linx.com/lxcms/kibana-oss:6.7.0]
[INFO] * Update instruction found: [hub.linx.com/lxcms/nfs-client-provisioner:latest]
- 建议为容器镜像创建非root用户;
- 建议将HEALTHCHECK 说明添加到容器镜像,HEALTHCHECK 指令添加到容器镜像可确保docker引擎定期检查运行的容器实例是否符合该指令,以确保实例仍在运行;
- 建议容器镜像中不使用更新命令,更新指令将缓存更新的层,后续使用相同的指令构建任何镜像时,将使用先前缓存的更新图层;
容器运行时保护
[WARN] 5.1 - Ensure that, if applicable, an AppArmor Profile is enabled (Automated)
[WARN] * No AppArmorProfile Found: k8s_clair_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_9
[WARN] * No AppArmorProfile Found: k8s_ks-account_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_1
[WARN] * No AppArmorProfile Found: k8s_elasticsearch_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * No AppArmorProfile Found: k8s_POD_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * No AppArmorProfile Found: k8s_database_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_2
[WARN] * No AppArmorProfile Found: k8s_POD_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_3
[WARN] * No AppArmorProfile Found: k8s_elasticsearch_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * No AppArmorProfile Found: k8s_notary-signer_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_4
[WARN] * No AppArmorProfile Found: k8s_rules-configmap-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * No AppArmorProfile Found: k8s_prometheus-config-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * No AppArmorProfile Found: k8s_rules-configmap-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * No AppArmorProfile Found: k8s_prometheus_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_2
[WARN] * No AppArmorProfile Found: k8s_prometheus-config-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * No AppArmorProfile Found: k8s_POD_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * No AppArmorProfile Found: k8s_prometheus_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_2
[WARN] * No AppArmorProfile Found: k8s_POD_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * No AppArmorProfile Found: k8s_POD_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * No AppArmorProfile Found: k8s_istio-proxy_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_1
[WARN] * No AppArmorProfile Found: k8s_influxdb_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_1
[WARN] * No AppArmorProfile Found: k8s_adapter_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_2
[WARN] * No AppArmorProfile Found: k8s_mixer_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_9
[WARN] * No AppArmorProfile Found: k8s_POD_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_3
[WARN] * No AppArmorProfile Found: k8s_ks-controller-manager_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_1
[WARN] * No AppArmorProfile Found: k8s_POD_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_3
[WARN] * No AppArmorProfile Found: k8s_logsidecar-injector_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_1
[WARN] * No AppArmorProfile Found: k8s_POD_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_6
[WARN] * No AppArmorProfile Found: k8s_POD_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_2
[WARN] * No AppArmorProfile Found: k8s_POD_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_5
[WARN] * No AppArmorProfile Found: k8s_POD_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_3
[WARN] * No AppArmorProfile Found: k8s_config-reloader_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * No AppArmorProfile Found: k8s_istio-proxy_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_3
[WARN] * No AppArmorProfile Found: k8s_fluent-bit_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * No AppArmorProfile Found: k8s_discovery_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_1
[WARN] * No AppArmorProfile Found: k8s_POD_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_2
[WARN] * No AppArmorProfile Found: k8s_default-http-backend_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_2
[WARN] * No AppArmorProfile Found: k8s_POD_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_2
[WARN] * No AppArmorProfile Found: k8s_POD_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_2
[WARN] * No AppArmorProfile Found: k8s_POD_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_4
[WARN] * No AppArmorProfile Found: k8s_kube-rbac-proxy_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * No AppArmorProfile Found: k8s_node-exporter_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * No AppArmorProfile Found: k8s_POD_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * No AppArmorProfile Found: k8s_ovs-cni-marker_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] * No AppArmorProfile Found: k8s_kube-flannel_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * No AppArmorProfile Found: k8s_kube-multus_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * No AppArmorProfile Found: k8s_POD_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * No AppArmorProfile Found: k8s_POD_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * No AppArmorProfile Found: k8s_nginx-ingress-controller_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * No AppArmorProfile Found: k8s_POD_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * No AppArmorProfile Found: k8s_POD_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] 5.3 - Ensure that Linux kernel capabilities are restricted within containers (Automated)
[WARN] * Capabilities added: CapAdd=[NET_ADMIN] to k8s_kube-flannel_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] 5.4 - Ensure that privileged containers are not used (Automated)
[WARN] * Container running in Privileged mode: k8s_ovs-cni-marker_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] * Container running in Privileged mode: k8s_kube-flannel_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * Container running in Privileged mode: k8s_kube-multus_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] 5.5 - Ensure sensitive host system directories are not mounted on containers (Automated)
[WARN] * Sensitive directory / mounted in: k8s_node-exporter_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Sensitive directory /proc mounted in: k8s_node-exporter_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Sensitive directory /sys mounted in: k8s_node-exporter_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] 5.6 - Ensure sshd is not run within containers (Automated)
[WARN] * Container running sshd: k8s_kube-rbac-proxy_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Container running sshd: k8s_node-exporter_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[PASS] 5.7 - Ensure privileged ports are not mapped within containers (Automated)
[PASS] 5.8 - Ensure that only needed ports are open on the container (Manual)
[WARN] 5.9 - Ensure that the host's network namespace is not shared (Automated)
[WARN] * Container running with networking mode 'host': k8s_POD_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Container running with networking mode 'host': k8s_POD_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * Container running with networking mode 'host': k8s_POD_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * Container running with networking mode 'host': k8s_POD_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * Container running with networking mode 'host': k8s_POD_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] 5.10 - Ensure that the memory usage for containers is limited (Automated)
[WARN] * Container running without memory restrictions: k8s_clair_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_9
[WARN] * Container running without memory restrictions: k8s_elasticsearch_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * Container running without memory restrictions: k8s_POD_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * Container running without memory restrictions: k8s_database_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_2
[WARN] * Container running without memory restrictions: k8s_POD_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_3
[WARN] * Container running without memory restrictions: k8s_elasticsearch_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * Container running without memory restrictions: k8s_notary-signer_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_4
[WARN] * Container running without memory restrictions: k8s_POD_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Container running without memory restrictions: k8s_POD_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * Container running without memory restrictions: k8s_POD_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Container running without memory restrictions: k8s_influxdb_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_1
[WARN] * Container running without memory restrictions: k8s_adapter_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_2
[WARN] * Container running without memory restrictions: k8s_mixer_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_9
[WARN] * Container running without memory restrictions: k8s_POD_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_3
[WARN] * Container running without memory restrictions: k8s_POD_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_3
[WARN] * Container running without memory restrictions: k8s_POD_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_6
[WARN] * Container running without memory restrictions: k8s_POD_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_2
[WARN] * Container running without memory restrictions: k8s_POD_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_5
[WARN] * Container running without memory restrictions: k8s_POD_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_3
[WARN] * Container running without memory restrictions: k8s_config-reloader_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * Container running without memory restrictions: k8s_fluent-bit_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * Container running without memory restrictions: k8s_discovery_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_1
[WARN] * Container running without memory restrictions: k8s_POD_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_2
[WARN] * Container running without memory restrictions: k8s_POD_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_2
[WARN] * Container running without memory restrictions: k8s_POD_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_2
[WARN] * Container running without memory restrictions: k8s_POD_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_4
[WARN] * Container running without memory restrictions: k8s_POD_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Container running without memory restrictions: k8s_ovs-cni-marker_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] * Container running without memory restrictions: k8s_POD_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * Container running without memory restrictions: k8s_POD_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * Container running without memory restrictions: k8s_nginx-ingress-controller_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * Container running without memory restrictions: k8s_POD_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * Container running without memory restrictions: k8s_POD_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[PASS] 5.11 - Ensure that CPU priority is set appropriately on containers (Automated)
[WARN] 5.12 - Ensure that the container's root filesystem is mounted as read only (Automated)
[WARN] * Container running with root FS mounted R/W: k8s_clair_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_9
[WARN] * Container running with root FS mounted R/W: k8s_ks-account_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_1
[WARN] * Container running with root FS mounted R/W: k8s_elasticsearch_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * Container running with root FS mounted R/W: k8s_POD_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * Container running with root FS mounted R/W: k8s_database_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_2
[WARN] * Container running with root FS mounted R/W: k8s_POD_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_3
[WARN] * Container running with root FS mounted R/W: k8s_elasticsearch_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * Container running with root FS mounted R/W: k8s_notary-signer_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_4
[WARN] * Container running with root FS mounted R/W: k8s_rules-configmap-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Container running with root FS mounted R/W: k8s_prometheus-config-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Container running with root FS mounted R/W: k8s_rules-configmap-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Container running with root FS mounted R/W: k8s_prometheus_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_2
[WARN] * Container running with root FS mounted R/W: k8s_prometheus-config-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Container running with root FS mounted R/W: k8s_POD_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Container running with root FS mounted R/W: k8s_prometheus_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_2
[WARN] * Container running with root FS mounted R/W: k8s_POD_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * Container running with root FS mounted R/W: k8s_POD_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Container running with root FS mounted R/W: k8s_istio-proxy_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_1
[WARN] * Container running with root FS mounted R/W: k8s_influxdb_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_1
[WARN] * Container running with root FS mounted R/W: k8s_adapter_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_2
[WARN] * Container running with root FS mounted R/W: k8s_mixer_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_9
[WARN] * Container running with root FS mounted R/W: k8s_POD_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_3
[WARN] * Container running with root FS mounted R/W: k8s_ks-controller-manager_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_1
[WARN] * Container running with root FS mounted R/W: k8s_POD_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_3
[WARN] * Container running with root FS mounted R/W: k8s_logsidecar-injector_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_1
[WARN] * Container running with root FS mounted R/W: k8s_POD_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_6
[WARN] * Container running with root FS mounted R/W: k8s_POD_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_2
[WARN] * Container running with root FS mounted R/W: k8s_POD_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_5
[WARN] * Container running with root FS mounted R/W: k8s_POD_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_3
[WARN] * Container running with root FS mounted R/W: k8s_config-reloader_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * Container running with root FS mounted R/W: k8s_istio-proxy_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_3
[WARN] * Container running with root FS mounted R/W: k8s_fluent-bit_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * Container running with root FS mounted R/W: k8s_discovery_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_1
[WARN] * Container running with root FS mounted R/W: k8s_POD_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_2
[WARN] * Container running with root FS mounted R/W: k8s_default-http-backend_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_2
[WARN] * Container running with root FS mounted R/W: k8s_POD_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_2
[WARN] * Container running with root FS mounted R/W: k8s_POD_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_2
[WARN] * Container running with root FS mounted R/W: k8s_POD_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_4
[WARN] * Container running with root FS mounted R/W: k8s_kube-rbac-proxy_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Container running with root FS mounted R/W: k8s_node-exporter_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Container running with root FS mounted R/W: k8s_POD_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Container running with root FS mounted R/W: k8s_ovs-cni-marker_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] * Container running with root FS mounted R/W: k8s_kube-flannel_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * Container running with root FS mounted R/W: k8s_kube-multus_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * Container running with root FS mounted R/W: k8s_POD_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * Container running with root FS mounted R/W: k8s_POD_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * Container running with root FS mounted R/W: k8s_nginx-ingress-controller_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * Container running with root FS mounted R/W: k8s_POD_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * Container running with root FS mounted R/W: k8s_POD_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[PASS] 5.13 - Ensure that incoming container traffic is bound to a specific host interface (Automated)
[WARN] 5.14 - Ensure that the 'on-failure' container restart policy is set to '5' (Automated)
[WARN] * MaximumRetryCount is not set to 5: k8s_clair_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_9
[WARN] * MaximumRetryCount is not set to 5: k8s_ks-account_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_1
[WARN] * MaximumRetryCount is not set to 5: k8s_elasticsearch_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * MaximumRetryCount is not set to 5: k8s_database_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_2
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_3
[WARN] * MaximumRetryCount is not set to 5: k8s_elasticsearch_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * MaximumRetryCount is not set to 5: k8s_notary-signer_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_4
[WARN] * MaximumRetryCount is not set to 5: k8s_rules-configmap-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * MaximumRetryCount is not set to 5: k8s_prometheus-config-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * MaximumRetryCount is not set to 5: k8s_rules-configmap-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * MaximumRetryCount is not set to 5: k8s_prometheus_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_2
[WARN] * MaximumRetryCount is not set to 5: k8s_prometheus-config-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * MaximumRetryCount is not set to 5: k8s_prometheus_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_2
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * MaximumRetryCount is not set to 5: k8s_istio-proxy_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_1
[WARN] * MaximumRetryCount is not set to 5: k8s_influxdb_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_1
[WARN] * MaximumRetryCount is not set to 5: k8s_adapter_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_2
[WARN] * MaximumRetryCount is not set to 5: k8s_mixer_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_9
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_3
[WARN] * MaximumRetryCount is not set to 5: k8s_ks-controller-manager_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_1
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_3
[WARN] * MaximumRetryCount is not set to 5: k8s_logsidecar-injector_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_1
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_6
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_2
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_5
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_3
[WARN] * MaximumRetryCount is not set to 5: k8s_config-reloader_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * MaximumRetryCount is not set to 5: k8s_istio-proxy_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_3
[WARN] * MaximumRetryCount is not set to 5: k8s_fluent-bit_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * MaximumRetryCount is not set to 5: k8s_discovery_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_1
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_2
[WARN] * MaximumRetryCount is not set to 5: k8s_default-http-backend_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_2
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_2
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_2
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_4
[WARN] * MaximumRetryCount is not set to 5: k8s_kube-rbac-proxy_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * MaximumRetryCount is not set to 5: k8s_node-exporter_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * MaximumRetryCount is not set to 5: k8s_ovs-cni-marker_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] * MaximumRetryCount is not set to 5: k8s_kube-flannel_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * MaximumRetryCount is not set to 5: k8s_kube-multus_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * MaximumRetryCount is not set to 5: k8s_nginx-ingress-controller_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * MaximumRetryCount is not set to 5: k8s_POD_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] 5.15 - Ensure that the host's process namespace is not shared (Automated)
[WARN] * Host PID namespace being shared with: k8s_kube-rbac-proxy_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Host PID namespace being shared with: k8s_node-exporter_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Host PID namespace being shared with: k8s_POD_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[INFO] * Container no default ulimit override: k8s_clair_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_9
[INFO] * Container no default ulimit override: k8s_ks-account_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_1
[INFO] * Container no default ulimit override: k8s_elasticsearch_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[INFO] * Container no default ulimit override: k8s_POD_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[INFO] * Container no default ulimit override: k8s_database_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_2
[INFO] * Container no default ulimit override: k8s_POD_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_3
[INFO] * Container no default ulimit override: k8s_elasticsearch_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[INFO] * Container no default ulimit override: k8s_notary-signer_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_4
[INFO] * Container no default ulimit override: k8s_rules-configmap-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[INFO] * Container no default ulimit override: k8s_prometheus-config-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[INFO] * Container no default ulimit override: k8s_rules-configmap-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[INFO] * Container no default ulimit override: k8s_prometheus_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_2
[INFO] * Container no default ulimit override: k8s_prometheus-config-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[INFO] * Container no default ulimit override: k8s_POD_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[INFO] * Container no default ulimit override: k8s_prometheus_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_2
[INFO] * Container no default ulimit override: k8s_POD_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[INFO] * Container no default ulimit override: k8s_POD_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[INFO] * Container no default ulimit override: k8s_istio-proxy_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_1
[INFO] * Container no default ulimit override: k8s_influxdb_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_1
[INFO] * Container no default ulimit override: k8s_adapter_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_2
[INFO] * Container no default ulimit override: k8s_mixer_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_9
[INFO] * Container no default ulimit override: k8s_POD_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_3
[INFO] * Container no default ulimit override: k8s_ks-controller-manager_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_1
[INFO] * Container no default ulimit override: k8s_POD_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_3
[INFO] * Container no default ulimit override: k8s_logsidecar-injector_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_1
[INFO] * Container no default ulimit override: k8s_POD_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_6
[INFO] * Container no default ulimit override: k8s_POD_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_2
[INFO] * Container no default ulimit override: k8s_POD_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_5
[INFO] * Container no default ulimit override: k8s_POD_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_3
[INFO] * Container no default ulimit override: k8s_config-reloader_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[INFO] * Container no default ulimit override: k8s_istio-proxy_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_3
[INFO] * Container no default ulimit override: k8s_fluent-bit_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[INFO] * Container no default ulimit override: k8s_discovery_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_1
[INFO] * Container no default ulimit override: k8s_POD_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_2
[INFO] * Container no default ulimit override: k8s_default-http-backend_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_2
[INFO] * Container no default ulimit override: k8s_POD_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_2
[INFO] * Container no default ulimit override: k8s_POD_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_2
[INFO] * Container no default ulimit override: k8s_POD_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_4
[INFO] * Container no default ulimit override: k8s_kube-rbac-proxy_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[INFO] * Container no default ulimit override: k8s_node-exporter_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[INFO] * Container no default ulimit override: k8s_POD_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[INFO] * Container no default ulimit override: k8s_ovs-cni-marker_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[INFO] * Container no default ulimit override: k8s_kube-flannel_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[INFO] * Container no default ulimit override: k8s_kube-multus_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[INFO] * Container no default ulimit override: k8s_POD_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[INFO] * Container no default ulimit override: k8s_POD_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[INFO] * Container no default ulimit override: k8s_nginx-ingress-controller_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[INFO] * Container no default ulimit override: k8s_POD_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[INFO] * Container no default ulimit override: k8s_POD_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] 5.20 - Ensure that the host's UTS namespace is not shared (Automated)
[WARN] * Host UTS namespace being shared with: k8s_kube-rbac-proxy_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Host UTS namespace being shared with: k8s_node-exporter_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Host UTS namespace being shared with: k8s_ovs-cni-marker_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] * Host UTS namespace being shared with: k8s_kube-flannel_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * Host UTS namespace being shared with: k8s_kube-multus_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * Host UTS namespace being shared with: k8s_nginx-ingress-controller_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] 5.21 - Ensure the default seccomp profile is not Disabled (Automated)
[WARN] * Default seccomp profile disabled: k8s_clair_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_9
[WARN] * Default seccomp profile disabled: k8s_ks-account_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_1
[WARN] * Default seccomp profile disabled: k8s_elasticsearch_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * Default seccomp profile disabled: k8s_POD_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * Default seccomp profile disabled: k8s_database_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_2
[WARN] * Default seccomp profile disabled: k8s_POD_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_3
[WARN] * Default seccomp profile disabled: k8s_elasticsearch_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * Default seccomp profile disabled: k8s_notary-signer_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_4
[WARN] * Default seccomp profile disabled: k8s_rules-configmap-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Default seccomp profile disabled: k8s_prometheus-config-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Default seccomp profile disabled: k8s_rules-configmap-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Default seccomp profile disabled: k8s_prometheus_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_2
[WARN] * Default seccomp profile disabled: k8s_prometheus-config-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Default seccomp profile disabled: k8s_POD_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Default seccomp profile disabled: k8s_prometheus_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_2
[WARN] * Default seccomp profile disabled: k8s_POD_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * Default seccomp profile disabled: k8s_POD_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Default seccomp profile disabled: k8s_istio-proxy_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_1
[WARN] * Default seccomp profile disabled: k8s_influxdb_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_1
[WARN] * Default seccomp profile disabled: k8s_adapter_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_2
[WARN] * Default seccomp profile disabled: k8s_mixer_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_9
[WARN] * Default seccomp profile disabled: k8s_POD_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_3
[WARN] * Default seccomp profile disabled: k8s_ks-controller-manager_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_1
[WARN] * Default seccomp profile disabled: k8s_POD_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_3
[WARN] * Default seccomp profile disabled: k8s_logsidecar-injector_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_1
[WARN] * Default seccomp profile disabled: k8s_POD_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_6
[WARN] * Default seccomp profile disabled: k8s_POD_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_2
[WARN] * Default seccomp profile disabled: k8s_POD_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_5
[WARN] * Default seccomp profile disabled: k8s_POD_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_3
[WARN] * Default seccomp profile disabled: k8s_config-reloader_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * Default seccomp profile disabled: k8s_istio-proxy_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_3
[WARN] * Default seccomp profile disabled: k8s_fluent-bit_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * Default seccomp profile disabled: k8s_discovery_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_1
[WARN] * Default seccomp profile disabled: k8s_POD_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_2
[WARN] * Default seccomp profile disabled: k8s_default-http-backend_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_2
[WARN] * Default seccomp profile disabled: k8s_POD_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_2
[WARN] * Default seccomp profile disabled: k8s_POD_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_2
[WARN] * Default seccomp profile disabled: k8s_POD_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_4
[WARN] * Default seccomp profile disabled: k8s_kube-rbac-proxy_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Default seccomp profile disabled: k8s_node-exporter_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Default seccomp profile disabled: k8s_POD_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Default seccomp profile disabled: k8s_ovs-cni-marker_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] * Default seccomp profile disabled: k8s_kube-flannel_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * Default seccomp profile disabled: k8s_kube-multus_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * Default seccomp profile disabled: k8s_POD_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * Default seccomp profile disabled: k8s_POD_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * Default seccomp profile disabled: k8s_nginx-ingress-controller_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * Default seccomp profile disabled: k8s_POD_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * Default seccomp profile disabled: k8s_POD_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[NOTE] 5.22 - Ensure that docker exec commands are not used with the privileged option (Automated)
[NOTE] 5.23 - Ensure that docker exec commands are not used with the user=root option (Manual)
[WARN] 5.24 - Ensure that cgroup usage is confirmed (Automated)
[WARN] * Confirm cgroup usage: k8s_clair_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_9
[WARN] * Confirm cgroup usage: k8s_ks-account_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_1
[WARN] * Confirm cgroup usage: k8s_elasticsearch_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * Confirm cgroup usage: k8s_POD_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * Confirm cgroup usage: k8s_database_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_2
[WARN] * Confirm cgroup usage: k8s_POD_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_3
[WARN] * Confirm cgroup usage: k8s_elasticsearch_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * Confirm cgroup usage: k8s_notary-signer_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_4
[WARN] * Confirm cgroup usage: k8s_rules-configmap-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Confirm cgroup usage: k8s_prometheus-config-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Confirm cgroup usage: k8s_rules-configmap-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Confirm cgroup usage: k8s_prometheus_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_2
[WARN] * Confirm cgroup usage: k8s_prometheus-config-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Confirm cgroup usage: k8s_POD_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Confirm cgroup usage: k8s_prometheus_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_2
[WARN] * Confirm cgroup usage: k8s_POD_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * Confirm cgroup usage: k8s_POD_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Confirm cgroup usage: k8s_istio-proxy_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_1
[WARN] * Confirm cgroup usage: k8s_influxdb_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_1
[WARN] * Confirm cgroup usage: k8s_adapter_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_2
[WARN] * Confirm cgroup usage: k8s_mixer_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_9
[WARN] * Confirm cgroup usage: k8s_POD_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_3
[WARN] * Confirm cgroup usage: k8s_ks-controller-manager_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_1
[WARN] * Confirm cgroup usage: k8s_POD_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_3
[WARN] * Confirm cgroup usage: k8s_logsidecar-injector_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_1
[WARN] * Confirm cgroup usage: k8s_POD_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_6
[WARN] * Confirm cgroup usage: k8s_POD_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_2
[WARN] * Confirm cgroup usage: k8s_POD_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_5
[WARN] * Confirm cgroup usage: k8s_POD_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_3
[WARN] * Confirm cgroup usage: k8s_config-reloader_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * Confirm cgroup usage: k8s_istio-proxy_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_3
[WARN] * Confirm cgroup usage: k8s_fluent-bit_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * Confirm cgroup usage: k8s_discovery_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_1
[WARN] * Confirm cgroup usage: k8s_POD_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_2
[WARN] * Confirm cgroup usage: k8s_default-http-backend_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_2
[WARN] * Confirm cgroup usage: k8s_POD_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_2
[WARN] * Confirm cgroup usage: k8s_POD_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_2
[WARN] * Confirm cgroup usage: k8s_POD_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_4
[WARN] * Confirm cgroup usage: k8s_kube-rbac-proxy_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Confirm cgroup usage: k8s_node-exporter_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Confirm cgroup usage: k8s_POD_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Confirm cgroup usage: k8s_ovs-cni-marker_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] * Confirm cgroup usage: k8s_kube-flannel_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * Confirm cgroup usage: k8s_kube-multus_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * Confirm cgroup usage: k8s_POD_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * Confirm cgroup usage: k8s_POD_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * Confirm cgroup usage: k8s_nginx-ingress-controller_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * Confirm cgroup usage: k8s_POD_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * Confirm cgroup usage: k8s_POD_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] 5.25 - Ensure that the container is restricted from acquiring additional privileges (Automated)
[WARN] * Privileges not restricted: k8s_clair_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_9
[WARN] * Privileges not restricted: k8s_ks-account_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_1
[WARN] * Privileges not restricted: k8s_elasticsearch_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * Privileges not restricted: k8s_POD_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * Privileges not restricted: k8s_database_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_2
[WARN] * Privileges not restricted: k8s_POD_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_3
[WARN] * Privileges not restricted: k8s_elasticsearch_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * Privileges not restricted: k8s_notary-signer_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_4
[WARN] * Privileges not restricted: k8s_rules-configmap-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Privileges not restricted: k8s_prometheus-config-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Privileges not restricted: k8s_rules-configmap-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Privileges not restricted: k8s_prometheus_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_2
[WARN] * Privileges not restricted: k8s_prometheus-config-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Privileges not restricted: k8s_POD_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Privileges not restricted: k8s_prometheus_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_2
[WARN] * Privileges not restricted: k8s_POD_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * Privileges not restricted: k8s_POD_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Privileges not restricted: k8s_istio-proxy_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_1
[WARN] * Privileges not restricted: k8s_influxdb_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_1
[WARN] * Privileges not restricted: k8s_adapter_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_2
[WARN] * Privileges not restricted: k8s_mixer_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_9
[WARN] * Privileges not restricted: k8s_POD_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_3
[WARN] * Privileges not restricted: k8s_ks-controller-manager_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_1
[WARN] * Privileges not restricted: k8s_POD_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_3
[WARN] * Privileges not restricted: k8s_logsidecar-injector_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_1
[WARN] * Privileges not restricted: k8s_POD_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_6
[WARN] * Privileges not restricted: k8s_POD_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_2
[WARN] * Privileges not restricted: k8s_POD_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_5
[WARN] * Privileges not restricted: k8s_POD_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_3
[WARN] * Privileges not restricted: k8s_config-reloader_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * Privileges not restricted: k8s_istio-proxy_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_3
[WARN] * Privileges not restricted: k8s_fluent-bit_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * Privileges not restricted: k8s_discovery_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_1
[WARN] * Privileges not restricted: k8s_POD_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_2
[WARN] * Privileges not restricted: k8s_default-http-backend_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_2
[WARN] * Privileges not restricted: k8s_POD_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_2
[WARN] * Privileges not restricted: k8s_POD_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_2
[WARN] * Privileges not restricted: k8s_POD_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_4
[WARN] * Privileges not restricted: k8s_kube-rbac-proxy_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Privileges not restricted: k8s_node-exporter_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Privileges not restricted: k8s_POD_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Privileges not restricted: k8s_ovs-cni-marker_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] * Privileges not restricted: k8s_kube-flannel_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * Privileges not restricted: k8s_kube-multus_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * Privileges not restricted: k8s_POD_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * Privileges not restricted: k8s_POD_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * Privileges not restricted: k8s_nginx-ingress-controller_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * Privileges not restricted: k8s_POD_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * Privileges not restricted: k8s_POD_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] 5.26 - Ensure that container health is checked at runtime (Automated)
[WARN] * Health check not set: k8s_clair_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_9
[WARN] * Health check not set: k8s_ks-account_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_1
[WARN] * Health check not set: k8s_elasticsearch_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * Health check not set: k8s_POD_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * Health check not set: k8s_database_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_2
[WARN] * Health check not set: k8s_POD_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_3
[WARN] * Health check not set: k8s_elasticsearch_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * Health check not set: k8s_notary-signer_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_4
[WARN] * Health check not set: k8s_rules-configmap-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Health check not set: k8s_prometheus-config-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Health check not set: k8s_rules-configmap-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Health check not set: k8s_prometheus_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_2
[WARN] * Health check not set: k8s_prometheus-config-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Health check not set: k8s_POD_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * Health check not set: k8s_prometheus_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_2
[WARN] * Health check not set: k8s_POD_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * Health check not set: k8s_POD_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * Health check not set: k8s_istio-proxy_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_1
[WARN] * Health check not set: k8s_influxdb_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_1
[WARN] * Health check not set: k8s_adapter_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_2
[WARN] * Health check not set: k8s_mixer_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_9
[WARN] * Health check not set: k8s_POD_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_3
[WARN] * Health check not set: k8s_ks-controller-manager_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_1
[WARN] * Health check not set: k8s_POD_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_3
[WARN] * Health check not set: k8s_logsidecar-injector_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_1
[WARN] * Health check not set: k8s_POD_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_6
[WARN] * Health check not set: k8s_POD_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_2
[WARN] * Health check not set: k8s_POD_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_5
[WARN] * Health check not set: k8s_POD_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_3
[WARN] * Health check not set: k8s_config-reloader_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * Health check not set: k8s_istio-proxy_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_3
[WARN] * Health check not set: k8s_fluent-bit_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * Health check not set: k8s_discovery_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_1
[WARN] * Health check not set: k8s_POD_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_2
[WARN] * Health check not set: k8s_default-http-backend_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_2
[WARN] * Health check not set: k8s_POD_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_2
[WARN] * Health check not set: k8s_POD_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_2
[WARN] * Health check not set: k8s_POD_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_4
[WARN] * Health check not set: k8s_kube-rbac-proxy_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Health check not set: k8s_node-exporter_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Health check not set: k8s_POD_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * Health check not set: k8s_ovs-cni-marker_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] * Health check not set: k8s_kube-flannel_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * Health check not set: k8s_kube-multus_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * Health check not set: k8s_POD_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * Health check not set: k8s_POD_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * Health check not set: k8s_nginx-ingress-controller_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * Health check not set: k8s_POD_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * Health check not set: k8s_POD_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[INFO] 5.27 - Ensure that Docker commands always make use of the latest version of their image (Manual)
[WARN] 5.28 - Ensure that the PIDs cgroup limit is used (Automated)
[WARN] * PIDs limit not set: k8s_clair_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_9
[WARN] * PIDs limit not set: k8s_ks-account_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_1
[WARN] * PIDs limit not set: k8s_elasticsearch_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * PIDs limit not set: k8s_POD_elasticsearch-logging-data-d85ddc68c-n6kn2_lxcms-logging-system_d7e0c734-99dd-4229-9837-b4532c4ab5a2_1
[WARN] * PIDs limit not set: k8s_database_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_2
[WARN] * PIDs limit not set: k8s_POD_hub-harbor-database-5ccf767678-48ff2_harbor_90864f61-09e0-46e5-af6d-36451624b137_3
[WARN] * PIDs limit not set: k8s_elasticsearch_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * PIDs limit not set: k8s_notary-signer_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_4
[WARN] * PIDs limit not set: k8s_rules-configmap-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * PIDs limit not set: k8s_prometheus-config-reloader_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * PIDs limit not set: k8s_rules-configmap-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * PIDs limit not set: k8s_prometheus_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_2
[WARN] * PIDs limit not set: k8s_prometheus-config-reloader_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * PIDs limit not set: k8s_POD_prometheus-k8s-0_lxcms-monitoring-system_df0b6971-7db4-4a68-8a2a-6b31149a589f_1
[WARN] * PIDs limit not set: k8s_prometheus_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_2
[WARN] * PIDs limit not set: k8s_POD_elasticsearch-logging-discovery-d7698d475-spb7g_lxcms-logging-system_a93220b9-62b1-44b6-92be-724114de07e7_1
[WARN] * PIDs limit not set: k8s_POD_prometheus-k8s-system-1_lxcms-monitoring-system_a4283e85-bdec-4468-8a4c-c3772c617e8e_1
[WARN] * PIDs limit not set: k8s_istio-proxy_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_1
[WARN] * PIDs limit not set: k8s_influxdb_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_1
[WARN] * PIDs limit not set: k8s_adapter_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_2
[WARN] * PIDs limit not set: k8s_mixer_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_9
[WARN] * PIDs limit not set: k8s_POD_monitoring-influxdb-857bf6d4f5-k87dr_kube-system_ce8fbabe-9d4f-4090-b57a-f5dd122d26d2_3
[WARN] * PIDs limit not set: k8s_ks-controller-manager_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_1
[WARN] * PIDs limit not set: k8s_POD_istio-policy-b75cfc64c-l6wff_istio-system_639ea51d-1b80-42bd-bec1-7ce9b9879874_3
[WARN] * PIDs limit not set: k8s_logsidecar-injector_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_1
[WARN] * PIDs limit not set: k8s_POD_hub-harbor-notary-signer-74fd6d979d-77p7b_harbor_9556827f-4d13-43b5-852a-34bdb4bc463f_6
[WARN] * PIDs limit not set: k8s_POD_ks-controller-manager-b96659449-z64mf_lxcms-system_544460c3-08e0-402f-9122-ab806ad55fd3_2
[WARN] * PIDs limit not set: k8s_POD_hub-harbor-clair-5ddf789bcc-72zjp_harbor_b0640d33-f662-45ce-9802-e4cebf989e5d_5
[WARN] * PIDs limit not set: k8s_POD_logsidecar-injector-577f595b97-btfz6_lxcms-logging-system_aa8c16d3-0421-4f45-8364-6c634b205143_3
[WARN] * PIDs limit not set: k8s_config-reloader_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * PIDs limit not set: k8s_istio-proxy_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_3
[WARN] * PIDs limit not set: k8s_fluent-bit_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_1
[WARN] * PIDs limit not set: k8s_discovery_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_1
[WARN] * PIDs limit not set: k8s_POD_fluent-bit-m6rw5_lxcms-logging-system_a6892c8d-f339-4624-8b50-abbfe66e3c18_2
[WARN] * PIDs limit not set: k8s_default-http-backend_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_2
[WARN] * PIDs limit not set: k8s_POD_istio-pilot-65c748b9c4-v62xc_istio-system_f67c179f-bec2-4d31-a5cf-cd2e5757f3d7_2
[WARN] * PIDs limit not set: k8s_POD_ks-account-7c5d98c6c6-fn8xt_lxcms-system_dbe639ad-f873-4885-ba38-10e172a11e1f_2
[WARN] * PIDs limit not set: k8s_POD_default-http-backend-654fb7998b-qnn7d_ingress-nginx_c9689f70-bad5-4abb-abaa-5931e1ad5dd2_4
[WARN] * PIDs limit not set: k8s_kube-rbac-proxy_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * PIDs limit not set: k8s_node-exporter_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * PIDs limit not set: k8s_POD_node-exporter-sgczl_lxcms-monitoring-system_4a69f96d-487f-4c92-b399-5c8230c6ef55_1
[WARN] * PIDs limit not set: k8s_ovs-cni-marker_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
[WARN] * PIDs limit not set: k8s_kube-flannel_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * PIDs limit not set: k8s_kube-multus_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * PIDs limit not set: k8s_POD_kube-flannel-ds-amd64-hc5mf_kube-system_2d600175-d128-4d60-a228-1edcddd5ee96_2
[WARN] * PIDs limit not set: k8s_POD_kube-multus-ds-amd64-2d9sq_kube-system_41192369-586d-45a4-a8ee-c2d2593362a6_2
[WARN] * PIDs limit not set: k8s_nginx-ingress-controller_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * PIDs limit not set: k8s_POD_nginx-ingress-controller-cqfcs_ingress-nginx_418e31d2-cba2-445a-8c5e-80ec58e5a57e_2
[WARN] * PIDs limit not set: k8s_POD_ovs-cni-amd64-sdcxg_kube-system_eab017b9-e859-475f-81cc-a5df08158305_2
- 建议启用AppArmor配置文件,APPArmor通过执行安全策略来保护Linux操作系统和应用程序免受各种威胁;
- 建议不使用特权容器,特权容器可以做几乎主机可以做的一切;
- 不应该将敏感主机目录以读写挂载到容器,如/dev、/proc、/sys等;
- 确保ssh服务不在容器中运行;
- 确保容器的内存使用合理,需添加内存限制;
- 建议设置容器重启策略 on-failue 设置为 5 ,无限期地尝试启动容器,可能会导致主机上的拒绝服务。如果1个容器被终止,应该做的是去调查它重启的原因,而不是试图无限期地重启它。
- 建议设置默认的 ulimit 配置;
- 建议设置主机的 UTS 命令空间不共享 ,在容器中运行的进程通常不需要知道主机名和域名;
- 默认的seccomp配置文件未禁用,建议启用seccomp配置且自定义
- 建议设置docker exec 命令不能使用特权选项;
- 确保cgroup安全使用,应定义容器应该在哪个cgroup 下运行;
- 限制容器通过 suid 或 sgid位获取额外的权限;
- 检查容器运行时状态, 如果容器镜像没有定义 HEALTHCHECK 指令,请在容器运行时使用–health-cmd参数来检查容器运行状况;
- 限制使用 PID cgroup,限制容器中产生过多的进程,如使用fork炸弹
docker安全操作
目前没有问题
docker集群配置
目前没有问题
691
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
