<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">

Magalix Introduces the Cloud-Native Application Policy Pack

Exit icon Learn More

Magalix Application-Based Policy Pack

Policy as Code Security as Code
Magalix Application-Based Policy Pack
Policy as Code Security as Code

Running with Policy-as-Code

At Magalix, we’ve decided to help teams and organizations tighten the security of their applications and containers through the Cloud-Native Application Policy Pack.Built in-house, and based on our numerous conversations with customers and our ongoing analysis of the security landscape, this pack can get you started in tightening your security gaps, in two weeks or less.  This policy pack focuses on the best security and configuration practices to avoid exposing critical databases, endpoints, or any other assets/resources.We have structured our pack as follows:
  • Application Name - [ Kubernetes, Prometheus, MongoDb, Mongo-express, MySQL, postgres, mariadb, rabbitmq].
  • Entity - [Workloads, namespaces, networking, nodes, storage, access control ].
  • Policy Name

Policy List

 

Application Name

Entity

Policy Name

1

Kubernetes

Workloads

Containers running with PrivilegeEscalation

2

Kubernetes

Workloads

Containers are using hostPath

3

Kubernetes

Workloads

Containers are using blocked ports

4

Kubernetes

Workloads

Containers running with unapproved LinuxCapabilities

5

Kubernetes

Workloads

Containers running as root

6

Kubernetes

Workloads

Containers running with PrivilegedMode

7

Kubernetes

Workloads

Containers are missing securityContext

8

Kubernetes

Workloads

Containers are using hostPort

9

Kubernetes

Workloads

Containers are mounting Docker socket

10

Kubernetes

Workloads

Containers should not use image names

11

Kubernetes

Workloads

Using latest Image Tag

12

Kubernetes

Workloads

Missing Owner Label

13

Kubernetes

Workloads

Missing App Label

14

Kubernetes

Workloads

Missing Kubernetes App Label

15

Kubernetes

Workloads

Missing Kubernetes API Instance Label

16

Kubernetes

Workloads

Missing Kubernetes App Version Label

17

Kubernetes

Workloads

Missing Kubernetes App Component Label

18

Kubernetes

Workloads

Missing Kubernetes App Part-of Label

19

Kubernetes

Workloads

Missing Kubernetes App Managed-by Label

20

Kubernetes

Workloads

Missing App Match Label

21

Kubernetes

Workloads

Containers are missing Readiness Probe

22

Kubernetes

Workloads

Containers are missing Liveness Probe

23

Kubernetes

Workloads

Containers are missing Startup Probe

24

Kubernetes

Workloads

Containers should mount root filesystem as read-only

25

Kubernetes

Workloads

Containers Replica Count should be at least 2

26

Kubernetes

Workloads

Container CPU Requests should be set

27

Kubernetes

Workloads

Container Memory Requests should be set

28

Kubernetes

Workloads

Container CPU Limits should be set

29

Kubernetes

Workloads

Container Memory Limits should be set

30

Kubernetes

Workloads

Containers are not using RuntimeDefault Seccomp

31

Kubernetes

Workloads

Controller based ServiceAccount tokens should not automount

32

Kubernetes

Workloads

Workload Annotations should not be automounting service account tokens

33

Kubernetes

Workloads

Containers should not share hostNetwork

34

Kubernetes

Workloads

Containers should not share hostPID

35

Kubernetes

Workloads

Containers should not share shareProcessNamespace

36

Kubernetes

Workloads

Containers should not share hostIPC

37

Kubernetes

Workloads

Containers are missing a restartPolicy

38

Kubernetes

Workloads

Containers are missing a spec template label

39

Kubernetes

Workloads

Containers should not run on Kubernetes Control Plane nodes

40

Kubernetes

Workloads

Containers should not run in the default namespace

41

Kubernetes

Ingress

Ingress Class should be NGINX

42

Kubernetes

Workloads

Prevent naked pods from being scheduled

43

Kubernetes

Workloads

LimitRange is missing default CPU

44

Kubernetes

Workloads

LimitRange is missing defaultRequest CPU

45

Kubernetes

Workloads

LimitRange is missing default Memory

46

Kubernetes

Workloads

LimitRange is missing defaultRequest Memroy

47

Kubernetes

Workloads

LimitRange is missing min CPU

48

Kubernetes

Workloads

LimitRange is missing Max CPU

49

Kubernetes

Workloads

LimitRange is missing min Memory

50

Kubernetes

Workloads

LimitRange is missing Max Memory

51

Kubernetes

Namespaces

Prevent creating a namespace starting with kube-

52

Kubernetes

Namespaces

Resource Quota is missing CPU Requests

53

Kubernetes

Namespaces

Resource Quota is missing CPU Limits

54

Kubernetes

Namespaces

Resource Quota is missing Memory Requests

55

Kubernetes

Namespaces

Resource Quota is missing Memory Limits

56

Kubernetes

Networking

Block All Egress Traffic

57

Kubernetes

Networking

Block all Ingress Traffic

58

Kubernetes

Nodes

Node is missing label Kubernetes IO hostname

59

Kubernetes

Nodes

Node is missing label Kubernetes IO Arch

60

Kubernetes

Nodes

Node is missing label node kubernetes io instance-type

61

Kubernetes

Nodes

Node is missing label kubernetes io os

62

Kubernetes

Nodes

Node is missing label node-rule kubernetes io

63

Kubernetes

Nodes

Node is missing label topology kubernetes io zone

64

Kubernetes

Nodes

OS Version must meet standard

65

Kubernetes

Storage

Persistent Volume Reclaim Policy set to Retain

66

Prometheus

Workloads

Prometheus Scrape Annotation Key

67

Prometheus

Workloads

Prometheus Port Annotation Key

68

Prometheus

Workloads

Prometheus Path Annotation Key

69

Prometheus

Workloads

Prometheus Scrape Annotation Value

70

Prometheus

Workloads

Prometheus Port Annotation Value

71

Prometheus

Workloads

Prometheus Path Annotation Value

72

Prometheus

Access Control

Prometheus RBAC do not allow put

73

Prometheus

Access Control

Prometheus RBAC do not allow patch

74

Prometheus

Workloads

Prometheus Service Annotations Prometheus io scrape

75

Prometheus

Workloads

Prometheus ClusterRoleBinding has incorrect bindings

76

Kubernetes

Access Control

RBAC Protect cluster admin ClusterRoleBindings

77

Kubernetes

Access Control

Prohibit RBAC Create Deployments

78

Kubernetes

Access Control

Prohibit RBAC Wildcards for Resources

79

Kubernetes

Access Control

Prohibit RBAC Wildcards for Verbs

80

Kubernetes

Access Control

Prohibit RBAC Wildcards for API Groups

81

Kubernetes

Access Control

Prohibit RBAC Wildcards for Non Resource URLs

82

Kubernetes

Access Control

Disable Service Account Token Automount for ServiceAccounts

83

Kubernetes

Networking

Services are not using ports over 1024

84

Kubernetes

Networking

Services are only using Specified Protocols

85

Kubernetes

Networking

Services are using Node Port

86

MongoDB

Workloads

Set environment variable MONGO_INITDB_ROOT_USERNAME

87

MongoDB

Workloads

Set environment variable MONGO_INITDB_ROOT_PASSWORD

88

MongoDB

Workloads

Set environment variable MONGO_INITDB_DATABASE

89

mongo-express

Workloads

Set environment variable ME_CONFIG_BASICAUTH_USERNAME

90

mongo-express

Workloads

Set environment variable ME_CONFIG_BASICAUTH_PASSWORD

91

mongo-express

Workloads

Set environment variable ME_CONFIG_MONGODB_ENABLE_ADMIN

92

mongo-express

Workloads

Set environment variable ME_CONFIG_MONGODB_ADMINUSERNAME

93

mongo-express

Workloads

Set environment variable ME_CONFIG_MONGODB_ADMINPASSWORD

94

mongo-express

Workloads

Set environment variable ME_CONFIG_MONGODB_PORT

95

mongo-express

Workloads

Set environment variable ME_CONFIG_MONGODB_SERVER

96

mongo-express

Workloads

Set environment variable ME_CONFIG_OPTIONS_EDITORTHEME

97

mongo-express

Workloads

Set environment variable ME_CONFIG_REQUEST_SIZE

98

mongo-express

Workloads

Set environment variable ME_CONFIG_SITE_BASEURL

99

mongo-express

Workloads

Set environment variable ME_CONFIG_SITE_COOKIESECRET

100

mongo-express

Workloads

Set environment variable ME_CONFIG_SITE_SESSIONSECRET

101

mongo-express

Workloads

Set environment variable ME_CONFIG_SITE_SSL_ENABLED

102

mongo-express

Workloads

Set environment variable ME_CONFIG_SITE_SSL_CRT_PATH

103

mongo-express

Workloads

Set environment variable ME_CONFIG_SITE_SSL_KEY_PATH

104

mysql

Workloads

Set environment variable MYSQL_ROOT_PASSWORD

105

mysql

Workloads

Set environment variable  Variable MYSQL_DATABASE

106

mysql

Workloads

Set environment variable  Variable MYSQL_USER

107

mysql

Workloads

Set environment variable t Variable MYSQL_PASSWORD

108

mysql

Workloads

Disable Environment Variable MYSQL_ALLOW_EMPTY_PASSWORD

109

mysql

Workloads

Set environment variable MYSQL_RANDOM_ROOT_PASSWORD

110

mysql

Workloads

Set environment variable MYSQL_ONETIME_PASSWORD

111

mysql

Workloads

Set environment variable MYSQL_INITDB_SKIP_TZINFO

112

postgres

Workloads

Set environment variable POSTGRES_PASSWORD

113

postgres

Workloads

Set environment variable Variable POSTGRES_USER

114

postgres

Workloads

Set environment variable Variable POSTGRES_DB

115

postgres

Workloads

Set environment variable Variable POSTGRES_INITDB_ARGS

116

postgres

Workloads

Set environment variable Variable POSTGRES_INITDB_WALDIR

117

postgres

Workloads

Set environment variable Variable POSTGRES_HOST_AUTH_METHOD

118

postgres

Workloads

Set environment variable Variable PGDATA

119

mariadb

Workloads

Set environment variable Variable MYSQL_ROOT_PASSWORD

120

mariadb

Workloads

Set environment variable Variable MYSQL_DATABASE

121

mariadb

Workloads

Set environment variable Variable MYSQL_USER

122

mariadb

Workloads

Set environment variable Variable MYSQL_PASSWORD

123

mariadb

Workloads

Disable Environment Variable MYSQL_ALLOW_EMPTY_PASSWORD

124

mariadb

Workloads

Set environment variable Variable MYSQL_RANDOM_ROOT_PASSWORD

125

mariadb

Workloads

Set environment variable Variable MYSQL_INITDB_SKIP_TZINFO

126

rabbitmq

Workloads

Set environment variable Variable RABBITMQ_DEFAULT_USER

127

rabbitmq

Workloads

Set environment variable Variable RABBITMQ_DEFAULT_PASS

128

rabbitmq

Workloads

Set environment variable Variable RABBITMQ_HIPE_COMPILE

129

rabbitmq

Workloads

Set environment variable Variable RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS

130

rabbitmq

Workloads

Set environment variable Variable RABBITMQ_DEFAULT_VHOST

131

rabbitmq

Workloads

Set environment variable Variable RABBITMQ_SSL_CACERTFILE

132

rabbitmq

Workloads

Set environment variable Variable RABBITMQ_SSL_CERTFILE

133

rabbitmq

Workloads

Set environment variable Variable RABBITMQ_SSL_DEPTH

134

rabbitmq

Workloads

Set environment variable Variable RABBITMQ_SSL_FAIL_IF_NO_PEER_CERT

135

rabbitmq

Workloads

Set environment variable Variable RABBITMQ_SSL_KEYFILE

136

rabbitmq

Workloads

Set environment variable Variable RABBITMQ_SSL_VERIFY

137

rabbitmq

Workloads

Set environment variable Variable RABBITMQ_MANAGEMENT_SSL_CACERTFILE

138

rabbitmq

Workloads

Set environment variable Variable RABBITMQ_MANAGEMENT_SSL_CERTFILE

139

rabbitmq

Workloads

Set environment variable Variable RABBITMQ_MANAGEMENT_SSL_DEPTH

140

rabbitmq

Workloads

Set environment variable Variable RABBITMQ_MANAGEMENT_SSL_FAIL_IF_NO_PEER_CERT

141

rabbitmq

Workloads

Set environment variable Variable RABBITMQ_MANAGEMENT_SSL_KEYFILE

142

rabbitmq

Workloads

Set environment variable Variable RABBITMQ_MANAGEMENT_SSL_VERIFY

143

rabbitmq

Workloads

Set Docker Environment Variable RABBITMQ_CONFIG_FILE

144

rabbitmq

Workloads

Set Docker Environment Variable RABBITMQ_GENERATED_CONFIG_DIR

145

rabbitmq

Workloads

Set Docker Environment Variable RABBITMQ_MNESIA_BASE

146

rabbitmq

Workloads

Set Docker Environment Variable RABBITMQ_MNESIA_DIR

147

rabbitmq

Workloads

Set Docker Environment Variable RABBITMQ_SCHEMA_DIR

148

rabbitmq

Workloads

Set Docker Environment Variable RABBITMQ_LOG_BASE

149

rabbitmq

Workloads

Set Docker Environment Variable RABBITMQ_LOGS

150

rabbitmq

Workloads

Set Docker Environment Variable RABBITMQ_PLUGINS_DIR

151

rabbitmq

Workloads

Set Docker Environment Variable RABBITMQ_ENABLED_PLUGINS_FILE

152

rabbitmq

Workloads

Set Docker Environment Variable RABBITMQ_PID_FILE

153

rabbitmq

Workloads

Set Docker Environment Variable RABBITMQ_PLUGINS_EXPAND_DIR

154

influxdb

Workloads

Set environment variable Variable DOCKER_INFLUXDB_INIT_USERNAME

155

influxdb

Workloads

Set environment variable Variable DOCKER_INFLUXDB_INIT_PASSWORD

156

influxdb

Workloads

Set environment variable Variable DOCKER_INFLUXDB_INIT_ORG

157

influxdb

Workloads

Set environment variable Variable DOCKER_INFLUXDB_INIT_BUCKET

158

influxdb

Workloads

Set environment variable Variable DOCKER_INFLUXDB_INIT_RETENTION

159

influxdb

Workloads

Set environment variable Variable DOCKER_INFLUXDB_INIT_ADMIN_TOKEN

Conclusion

Check back every week to see the latest Policy List updates. .

Explore Magalix Policy Library with a 30-day free trial

Comments and Responses

Related Articles

What Is Zero Trust Architecture and How Does It Work?

In an enterprise environment with containers and micro-segmentation, zero-trust architecture helps enhance security protocols. Learn more.

Read more
Cloud Asset Management and Protection: Storage Assets

Learn useful strategies to manage cloud storage assets and get the most value for your investment.

Read more
4 Reasons Why Companies should Codify their Security

The move to the cloud has significantly increased the operational and security complexity. Codifying security policies can help mitigate the potential risk

Read more