compliance-posture.md

Catalog

Electronic Version of NIST SP 800-53 Rev 5.1.1 Controls and SP 800-53A Rev 5.1.1 Assessment Procedures

Component: Managed Kubernetes

Result of control: cm-6

Rule ID: test_configuration_check

Details

• Subject UUID: 6fade0d6-93fc-11ee-a029-62f79297f1b7

  • Title: Cluster Name: cluster1
  • Result: fail
  • Reason:

    - eventName: c2p.policy-high-scan.179e2849d01e8567
      lastTimestamp: "2023-12-06T05:53:26Z"
      message: NonCompliant; violation - couldn't find mapping resource with kind ScanSettingBinding,
        please check if you have CRD deployed
    - eventName: c2p.policy-high-scan.179e2848595f9ba9
      lastTimestamp: "2023-12-06T05:53:20Z"
      message: NonCompliant; violation - couldn't find mapping resource with kind ComplianceSuite,
        please check if you have CRD deployed
    - eventName: c2p.policy-high-scan.179e284a97812778
      lastTimestamp: "2023-12-06T05:53:30Z"
      message: NonCompliant; violation - couldn't find mapping resource with kind ComplianceCheckResult,
        please check if you have CRD deployed
    
    

• Subject UUID: 6fade374-93fc-11ee-a029-62f79297f1b7

  • Title: Cluster Name: cluster2
  • Result: fail
  • Reason:

    - eventName: c2p.policy-high-scan.179e284863bfbfab
      lastTimestamp: "2023-12-06T05:53:20Z"
      message: NonCompliant; violation - couldn't find mapping resource with kind ScanSettingBinding,
        please check if you have CRD deployed
    - eventName: c2p.policy-high-scan.179e284a53812e10
      lastTimestamp: "2023-12-06T05:53:28Z"
      message: NonCompliant; violation - couldn't find mapping resource with kind ComplianceSuite,
        please check if you have CRD deployed
    - eventName: c2p.policy-high-scan.179e2849950d51e5
      lastTimestamp: "2023-12-06T05:53:25Z"
      message: NonCompliant; violation - couldn't find mapping resource with kind ComplianceCheckResult,
        please check if you have CRD deployed
    
    

Rule ID: install_kyverno

Details

• Subject UUID: 6fade0d6-93fc-11ee-a029-62f79297f1b7

  • Title: Cluster Name: cluster1
  • Result: pass
  • Reason:

    - eventName: c2p.policy-install-kyverno-from-manifests.179e284be703d42d
      lastTimestamp: "2023-12-06T05:53:35Z"
      message: Compliant; notification - clusterroles [kyverno] found as specified, therefore
        this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284c7ace2ebf
      lastTimestamp: "2023-12-06T05:53:38Z"
      message: Compliant; notification - clusterroles [kyverno:admin-generaterequest]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284c9f4c379e
      lastTimestamp: "2023-12-06T05:53:38Z"
      message: Compliant; notification - clusterroles [kyverno:admin-policies] found as
        specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e28504ffc7000
      lastTimestamp: "2023-12-06T05:53:54Z"
      message: Compliant; notification - clusterroles [kyverno:admin-policyreport] found
        as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284befa43976
      lastTimestamp: "2023-12-06T05:53:35Z"
      message: Compliant; notification - clusterroles [kyverno:admin-reports] found as
        specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284e6ff55461
      lastTimestamp: "2023-12-06T05:53:46Z"
      message: Compliant; notification - clusterroles [kyverno:admin-updaterequest] found
        as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e285349215bae
      lastTimestamp: "2023-12-06T05:54:07Z"
      message: Compliant; notification - clusterroles [kyverno:events] found as specified,
        therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284d380ed6df
      lastTimestamp: "2023-12-06T05:53:41Z"
      message: Compliant; notification - clusterroles [kyverno:generate] found as specified,
        therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2853548333b1
      lastTimestamp: "2023-12-06T05:54:07Z"
      message: Compliant; notification - clusterroles [kyverno:policies] found as specified,
        therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284f80c03d5d
      lastTimestamp: "2023-12-06T05:53:51Z"
      message: Compliant; notification - clusterroles [kyverno:userinfo] found as specified,
        therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284ba3c9f6ea
      lastTimestamp: "2023-12-06T05:53:34Z"
      message: Compliant; notification - clusterroles [kyverno:view] found as specified,
        therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e28535e612839
      lastTimestamp: "2023-12-06T05:54:07Z"
      message: Compliant; notification - clusterroles [kyverno:webhook] found as specified,
        therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284fcb71f4df
      lastTimestamp: "2023-12-06T05:53:52Z"
      message: Compliant; notification - clusterrolebindings [kyverno] found as specified,
        therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e285680fe6ac8
      lastTimestamp: "2023-12-06T05:54:21Z"
      message: Compliant; notification - configmaps [kyverno-metrics] in namespace kyverno
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e28524f386c75
      lastTimestamp: "2023-12-06T05:54:03Z"
      message: Compliant; notification - configmaps [kyverno] in namespace kyverno found
        as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284bf8f4b48b
      lastTimestamp: "2023-12-06T05:53:35Z"
      message: Compliant; notification - customresourcedefinitions [admissionreports.kyverno.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284bba53764a
      lastTimestamp: "2023-12-06T05:53:34Z"
      message: Compliant; notification - customresourcedefinitions [backgroundscanreports.kyverno.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284fd5dac2d0
      lastTimestamp: "2023-12-06T05:53:52Z"
      message: Compliant; notification - customresourcedefinitions [clusteradmissionreports.kyverno.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284f91c7ac2d
      lastTimestamp: "2023-12-06T05:53:51Z"
      message: Compliant; notification - customresourcedefinitions [clusterbackgroundscanreports.kyverno.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2853336f0121
      lastTimestamp: "2023-12-06T05:54:07Z"
      message: Compliant; notification - customresourcedefinitions [clusterpolicies.kyverno.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2853ae517829
      lastTimestamp: "2023-12-06T05:54:09Z"
      message: Compliant; notification - customresourcedefinitions [clusterpolicyreports.wgpolicyk8s.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2853bb96886f
      lastTimestamp: "2023-12-06T05:54:09Z"
      message: Compliant; notification - customresourcedefinitions [generaterequests.kyverno.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e28567b4ab101
      lastTimestamp: "2023-12-06T05:54:21Z"
      message: Compliant; notification - customresourcedefinitions [policies.kyverno.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e285155b5a7dc
      lastTimestamp: "2023-12-06T05:53:58Z"
      message: Compliant; notification - customresourcedefinitions [policyreports.wgpolicyk8s.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e285258c5e5f7
      lastTimestamp: "2023-12-06T05:54:03Z"
      message: Compliant; notification - customresourcedefinitions [updaterequests.kyverno.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2856c0192717
      lastTimestamp: "2023-12-06T05:54:22Z"
      message: Compliant; notification - deployments [kyverno] in namespace kyverno found
        as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2851d0ebe5d4
      lastTimestamp: "2023-12-06T05:54:01Z"
      message: Compliant; notification - namespaces [kyverno] found as specified, therefore
        this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2851d422c597
      lastTimestamp: "2023-12-06T05:54:01Z"
      message: Compliant; notification - roles [kyverno:leaderelection] in namespace kyverno
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e28526cb03284
      lastTimestamp: "2023-12-06T05:54:03Z"
      message: Compliant; notification - rolebindings [kyverno:leaderelection] in namespace
        kyverno found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e285684956927
      lastTimestamp: "2023-12-06T05:54:21Z"
      message: Compliant; notification - services [kyverno-svc-metrics] in namespace kyverno
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e285277e643d2
      lastTimestamp: "2023-12-06T05:54:03Z"
      message: Compliant; notification - services [kyverno-svc] in namespace kyverno found
        as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2855b441709c
      lastTimestamp: "2023-12-06T05:54:17Z"
      message: Compliant; notification - serviceaccounts [kyverno] in namespace kyverno
        found as specified, therefore this Object template is compliant
    
    

• Subject UUID: 6fade374-93fc-11ee-a029-62f79297f1b7

  • Title: Cluster Name: cluster2
  • Result: pass
  • Reason:

    - eventName: c2p.policy-install-kyverno-from-manifests.179e284c9a97c784
      lastTimestamp: "2023-12-06T05:53:38Z"
      message: Compliant; notification - clusterroles [kyverno] found as specified, therefore
        this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284b35375584
      lastTimestamp: "2023-12-06T05:53:32Z"
      message: Compliant; notification - clusterroles [kyverno:admin-generaterequest]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284ef4862c6a
      lastTimestamp: "2023-12-06T05:53:48Z"
      message: Compliant; notification - clusterroles [kyverno:admin-policies] found as
        specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284dfd646310
      lastTimestamp: "2023-12-06T05:53:44Z"
      message: Compliant; notification - clusterroles [kyverno:admin-policyreport] found
        as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284dc9cf5a21
      lastTimestamp: "2023-12-06T05:53:43Z"
      message: Compliant; notification - clusterroles [kyverno:admin-reports] found as
        specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284b3482ad78
      lastTimestamp: "2023-12-06T05:53:32Z"
      message: Compliant; notification - clusterroles [kyverno:admin-updaterequest] found
        as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284f07938a0b
      lastTimestamp: "2023-12-06T05:53:49Z"
      message: Compliant; notification - clusterroles [kyverno:events] found as specified,
        therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284f17ff00f6
      lastTimestamp: "2023-12-06T05:53:49Z"
      message: Compliant; notification - clusterroles [kyverno:generate] found as specified,
        therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284ca95ae428
      lastTimestamp: "2023-12-06T05:53:38Z"
      message: Compliant; notification - clusterroles [kyverno:policies] found as specified,
        therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284e30919d74
      lastTimestamp: "2023-12-06T05:53:45Z"
      message: Compliant; notification - clusterroles [kyverno:userinfo] found as specified,
        therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284e4527ba38
      lastTimestamp: "2023-12-06T05:53:45Z"
      message: Compliant; notification - clusterroles [kyverno:view] found as specified,
        therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284c5820f7b0
      lastTimestamp: "2023-12-06T05:53:37Z"
      message: Compliant; notification - clusterroles [kyverno:webhook] found as specified,
        therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284dccc3cae5
      lastTimestamp: "2023-12-06T05:53:43Z"
      message: Compliant; notification - clusterrolebindings [kyverno] found as specified,
        therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e285889d4069c
      lastTimestamp: "2023-12-06T05:54:29Z"
      message: Compliant; notification - configmaps [kyverno-metrics] in namespace kyverno
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2853e3c830c7
      lastTimestamp: "2023-12-06T05:54:09Z"
      message: Compliant; notification - configmaps [kyverno] in namespace kyverno found
        as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2851c8b54cb1
      lastTimestamp: "2023-12-06T05:54:00Z"
      message: Compliant; notification - customresourcedefinitions [admissionreports.kyverno.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284dda99ee7e
      lastTimestamp: "2023-12-06T05:53:44Z"
      message: Compliant; notification - customresourcedefinitions [backgroundscanreports.kyverno.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e284cbfda9c70
      lastTimestamp: "2023-12-06T05:53:39Z"
      message: Compliant; notification - customresourcedefinitions [clusteradmissionreports.kyverno.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2854d3f7806a
      lastTimestamp: "2023-12-06T05:54:13Z"
      message: Compliant; notification - customresourcedefinitions [clusterbackgroundscanreports.kyverno.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2856e1ae7593
      lastTimestamp: "2023-12-06T05:54:22Z"
      message: Compliant; notification - customresourcedefinitions [clusterpolicies.kyverno.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2851eb3a6bea
      lastTimestamp: "2023-12-06T05:54:01Z"
      message: Compliant; notification - customresourcedefinitions [clusterpolicyreports.wgpolicyk8s.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2851282fb972
      lastTimestamp: "2023-12-06T05:53:58Z"
      message: Compliant; notification - customresourcedefinitions [generaterequests.kyverno.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2851fa561a0e
      lastTimestamp: "2023-12-06T05:54:01Z"
      message: Compliant; notification - customresourcedefinitions [policies.kyverno.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2854e6af9e7a
      lastTimestamp: "2023-12-06T05:54:14Z"
      message: Compliant; notification - customresourcedefinitions [policyreports.wgpolicyk8s.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e285334bd6234
      lastTimestamp: "2023-12-06T05:54:07Z"
      message: Compliant; notification - customresourcedefinitions [updaterequests.kyverno.io]
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e28588a2bd302
      lastTimestamp: "2023-12-06T05:54:29Z"
      message: Compliant; notification - deployments [kyverno] in namespace kyverno found
        as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2851d0e23da9
      lastTimestamp: "2023-12-06T05:54:01Z"
      message: Compliant; notification - namespaces [kyverno] found as specified, therefore
        this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2853398624f1
      lastTimestamp: "2023-12-06T05:54:07Z"
      message: Compliant; notification - roles [kyverno:leaderelection] in namespace kyverno
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2858b1db4b8e
      lastTimestamp: "2023-12-06T05:54:30Z"
      message: Compliant; notification - rolebindings [kyverno:leaderelection] in namespace
        kyverno found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2857bc2aa4bd
      lastTimestamp: "2023-12-06T05:54:26Z"
      message: Compliant; notification - services [kyverno-svc-metrics] in namespace kyverno
        found as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e285346ad8e3c
      lastTimestamp: "2023-12-06T05:54:07Z"
      message: Compliant; notification - services [kyverno-svc] in namespace kyverno found
        as specified, therefore this Object template is compliant
    - eventName: c2p.policy-install-kyverno-from-manifests.179e2857c388cf77
      lastTimestamp: "2023-12-06T05:54:26Z"
      message: Compliant; notification - serviceaccounts [kyverno] in namespace kyverno
        found as specified, therefore this Object template is compliant
    
    

Rule ID: test_required_label

Details

• Subject UUID: 6fade0d6-93fc-11ee-a029-62f79297f1b7

  • Title: Cluster Name: cluster1
  • Result: fail
  • Reason:

    - eventName: c2p.policy-kyverno-require-labels.179e2851c11fe04c
      lastTimestamp: "2023-12-06T05:54:00Z"
      message: Compliant; notification - clusterpolicies [require-labels] found as specified,
        therefore this Object template is compliant
    - eventName: c2p.policy-kyverno-require-labels.179e2862688eaee7
      lastTimestamp: "2023-12-06T05:55:12Z"
      message: 'NonCompliant; violation - policyreports found: [cpol-require-labels] in
        namespace local-path-storage'
    
    

• Subject UUID: 6fade374-93fc-11ee-a029-62f79297f1b7

  • Title: Cluster Name: cluster2
  • Result: fail
  • Reason:

    - eventName: c2p.policy-kyverno-require-labels.179e2855f5ab92dd
      lastTimestamp: "2023-12-06T05:54:18Z"
      message: Compliant; notification - clusterpolicies [require-labels] found as specified,
        therefore this Object template is compliant
    - eventName: c2p.policy-kyverno-require-labels.179e2862e1802d28
      lastTimestamp: "2023-12-06T05:55:14Z"
      message: 'NonCompliant; violation - policyreports found: [cpol-require-labels] in
        namespace local-path-storage'
    
    

---

Result of control: cm-2

Rule ID: test_proxy_check

Details

• Subject UUID: 6fade0d6-93fc-11ee-a029-62f79297f1b7

  • Title: Cluster Name: cluster1
  • Result: fail
  • Reason:

    - eventName: c2p.policy-deployment.179e284f776397b3
      lastTimestamp: "2023-12-06T05:53:50Z"
      message: 'NonCompliant; violation - deployments not found: [nginx-deployment] in
        namespace cluster1 missing; [nginx-deployment] in namespace default missing; [nginx-deployment]
        in namespace kube-node-lease missing; [nginx-deployment] in namespace kube-public
        missing; [nginx-deployment] in namespace kyverno missing; [nginx-deployment] in
        namespace local-path-storage missing'
    
    

• Subject UUID: 6fade374-93fc-11ee-a029-62f79297f1b7

  • Title: Cluster Name: cluster2
  • Result: fail
  • Reason:

    - eventName: c2p.policy-deployment.179e2854bed6d22e
      lastTimestamp: "2023-12-06T05:54:13Z"
      message: 'NonCompliant; violation - deployments not found: [nginx-deployment] in
        namespace cluster2 missing; [nginx-deployment] in namespace default missing; [nginx-deployment]
        in namespace kube-node-lease missing; [nginx-deployment] in namespace kube-public
        missing; [nginx-deployment] in namespace kyverno missing; [nginx-deployment] in
        namespace local-path-storage missing'
    
    

---