added kubernetes cluster security profile

cloud/kubernetes/deployments/k8s-cpu-limits-not-set.yaml

@@ -11,7 +11,7 @@ info:
     Set CPU limits for all containers in Kubernetes Deployments to ensure fair CPU resource distribution and prevent performance issues.
   reference:
     - https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/
-  tags: cloud,devops,kubernetes,k8s,devsecops,deployments
+  tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/deployments/k8s-cpu-requests-not-set.yaml

@@ -11,7 +11,7 @@ info:
     Set CPU requests for all containers in Kubernetes Deplayments to ensure efficient scheduling and resource allocation.
   reference:
     - https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/
-  tags: cloud,devops,kubernetes,k8s,devsecops,deployments
+  tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/deployments/k8s-default-namespace-used.yaml

@@ -11,7 +11,7 @@ info:
     Avoid using the default namespace for Kubernetes Deployments. Create and specify dedicated namespaces tailored to specific applications or teams to enhance security and manage resources effectively.
   reference:
     - https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
-  tags: cloud,devops,kubernetes,k8s,devsecops,namespaces
+  tags: cloud,devops,kubernetes,k8s,devsecops,namespaces,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/deployments/k8s-host-ports-check.yaml

@@ -11,7 +11,7 @@ info:
     Avoid using host ports in Kubernetes Deployments. Use services or other networking mechanisms to expose container applications.
   reference:
     - https://kubernetes.io/docs/concepts/services-networking/service/
-  tags: cloud,devops,kubernetes,security,devsecops,deployments
+  tags: cloud,devops,kubernetes,devsecops,deployments,k8s,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/deployments/k8s-image-pull-policy-always.yaml

@@ -10,7 +10,7 @@ info:
   remediation: Update the image pull policy in Kubernetes Deployments to 'Always' to ensure that the latest container images are always used.
   reference:
     - https://kubernetes.io/docs/concepts/containers/images/#updating-images
-  tags: cloud,devops,kubernetes,k8s,devsecops,deployments,images,docker
+  tags: cloud,devops,kubernetes,k8s,devsecops,deployments,images,docker,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/deployments/k8s-image-tag-not-fixed.yaml

@@ -11,7 +11,7 @@ info:
     Use specific image tags for all containers in Kubernetes Deployments to ensure reproducibility and stability of application deployments.
   reference:
     - https://kubernetes.io/docs/concepts/containers/images/
-  tags: cloud,devops,kubernetes,k8s,devsecops,deployments
+  tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/deployments/k8s-liveness-probe-not-configured.yaml

@@ -10,7 +10,7 @@ info:
   remediation: Configure liveness probes for all containers in Kubernetes Deployments to ensure proper health checks and automatic restarts of failing containers
   reference:
     - https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
-  tags: cloud,devops,kubernetes,k8s,devsecops,deployments
+  tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/deployments/k8s-memory-limits-not-set.yaml

@@ -10,7 +10,7 @@ info:
   remediation: Set memory limits for all containers in Kubernetes Deployments to ensure resource management and application stability
   reference:
     - https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/
-  tags: cloud,devops,kubernetes,k8s,devsecops,deployments
+  tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/deployments/k8s-memory-requests-not-set.yaml

@@ -10,7 +10,7 @@ info:
   remediation: Set memory requests for all containers in Kubernetes Deployments to ensure efficient pod scheduling and node resource utilization.
   reference:
     - https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/
-  tags: cloud,devops,kubernetes,k8s,devsecops,deployments
+  tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/deployments/k8s-minimize-added-capabilities.yaml

@@ -11,7 +11,7 @@ info:
     Ensure that no unnecessary capabilities are added to containers within Kubernetes Deployments. Use security contexts to define the minimum necessary privileges.
   reference:
     - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-  tags: cloud,devops,kubernetes,k8s,devsecops,deployments
+  tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/deployments/k8s-privileged-container.yaml

@@ -11,7 +11,7 @@ info:
     Ensure that no container in Kubernetes Deployments runs in privileged mode, as the root user, or with privilege escalation enabled. Modify the security context for each container to set `privileged: false`, `runAsUser` appropriately, and `allowPrivilegeEscalation: false`.
   reference:
     - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
-  tags: cloud,devops,kubernetes,k8s,devsecops,deployments
+  tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/deployments/k8s-readiness-probe-not-set.yaml

@@ -11,7 +11,7 @@ info:
     Define readiness probes in all containers within your Kubernetes Deployments to ensure that traffic is only routed to containers that are fully prepared to handle it.
   reference:
     - https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
-  tags: cloud,devops,kubernetes,k8s,devsecops,deployments
+  tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/deployments/k8s-root-container-admission.yaml

@@ -11,7 +11,7 @@ info:
     Configure security contexts for all pods to run containers with a non-root user. Use Pod Security Policies or OPA/Gatekeeper to enforce these configurations.
   reference:
     - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
-  tags: cloud,devops,kubernetes,devsecops,deployments,k8s
+  tags: cloud,devops,kubernetes,devsecops,deployments,k8s,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/deployments/k8s-seccomp-profile-set.yaml

@@ -11,7 +11,7 @@ info:
     Ensure that all containers in Kubernetes Deployments have a seccomp profile of docker/default or runtime/default set in their security contexts.
   reference:
     - https://kubernetes.io/docs/tutorials/clusters/seccomp/
-  tags: cloud,devops,kubernetes,security,devsecops,containers
+  tags: cloud,devops,kubernetes,devsecops,containers,k8s,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/kubernetes-code-env.yaml

@@ -7,7 +7,7 @@ info:
     Checks if kubernetes CLI is set up and all necessary tools are installed on the environment.
   reference:
     - https://kubernetes.io/
-  tags: cloud,devops,kubernetes,k8s,kubernetes-cloud-config
+  tags: cloud,devops,kubernetes,k8s,k8s-cluster-security
 
 self-contained: true
 code:

cloud/kubernetes/network-policies/k8s-netpol-egress-rules.yaml

@@ -10,7 +10,7 @@ info:
   remediation: Define egress rules in all network policies to control outbound traffic from your Kubernetes pods, thereby reducing security risks.
   reference:
     - https://kubernetes.io/docs/concepts/services-networking/network-policies/
-  tags: cloud,devops,kubernetes,security,devsecops,network
+  tags: cloud,devops,kubernetes,devsecops,k8s,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/network-policies/k8s-netpol-namespace.yaml

@@ -11,7 +11,7 @@ info:
     Ensure that all Network Policies explicitly define a namespace to maintain proper network isolation and security boundaries.
   reference:
     - https://kubernetes.io/docs/concepts/services-networking/network-policies/
-  tags: cloud,devops,kubernetes,security,devsecops,networking
+  tags: cloud,devops,kubernetes,devsecops,k8s,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/network-policies/k8s-network-ingress-rules.yaml

@@ -11,7 +11,7 @@ info:
     Define specific ingress rules in all network policies to control the flow of inbound traffic to pods, ensuring only authorized traffic can access cluster resources.
   reference:
     - https://kubernetes.io/docs/concepts/services-networking/network-policies/
-  tags: cloud,devops,kubernetes,security,networking
+  tags: cloud,devops,kubernetes,security,k8s,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/pods/k8s-allow-privilege-escalation-set.yaml

@@ -10,7 +10,7 @@ info:
   remediation: Ensure that the allowPrivilegeEscalation flag is set to false in all container configurations to minimize security risks
   reference:
     - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-  tags: cloud,devops,kubernetes,security,devsecops,containers
+  tags: cloud,devops,kubernetes,security,devsecops,containers,k8s,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/pods/k8s-containers-share-host-ipc.yaml

@@ -10,7 +10,7 @@ info:
   remediation: Ensure that no container in Kubernetes Pods is set to share the host IPC namespace. Configure 'spec.hostIPC' to 'false' for all pods to isolate IPC namespaces.
   reference:
     - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-  tags: cloud,devops,kubernetes,k8s,devsecops,pods
+  tags: cloud,devops,kubernetes,k8s,devsecops,pods,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/pods/k8s-host-network-namespace-shared.yaml

@@ -11,7 +11,7 @@ info:
     Ensure that the 'hostNetwork' field is set to false in all Kubernetes Pods to prevent containers from sharing the host's network namespace.
   reference:
     - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
-  tags: cloud,devops,kubernetes,k8s,devsecops,namespace
+  tags: cloud,devops,kubernetes,k8s,devsecops,namespace,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/pods/k8s-host-pid-namespace-sharing.yaml

@@ -11,7 +11,7 @@ info:
     Ensure that the 'hostPID' field is set to 'false' in Kubernetes Pod specifications to prevent containers from sharing the host's PID namespace.
   reference:
     - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
-  tags: cloud,devops,kubernetes,k8s,devsecops,pods
+  tags: cloud,devops,kubernetes,k8s,devsecops,pods,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/pods/k8s-readonly-fs.yaml

@@ -10,7 +10,7 @@ info:
   remediation: Configure containers to use read-only filesystems where possible to enhance security and minimize risk of unauthorized data modification
   reference:
     - https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
-  tags: cloud,devops,kubernetes,k8s,devsecops,pods
+  tags: cloud,devops,kubernetes,k8s,devsecops,pods,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/pods/k8s-readonly-rootfs.yaml

@@ -11,7 +11,7 @@ info:
     Configure all pods and containers to have their root filesystem set to read-only mode. This can be achieved by setting the securityContext.readOnlyRootFilesystem parameter to true in the pod or container configuration.
   reference:
     - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
-  tags: cloud,devops,kubernetes,security,devsecops,pods,k8s
+  tags: cloud,devops,kubernetes,devsecops,pods,k8s,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/pods/k8s-root-user-id.yaml

@@ -10,7 +10,7 @@ info:
   remediation: Configure pods to run with a non-root user ID by setting the 'securityContext' for each container and the pod itself.
   reference:
     - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-  tags: cloud,devops,kubernetes,security,devsecops,pods
+  tags: cloud,devops,kubernetes,devsecops,pods,k8s,k8s-cluster-security
 
 flow: |
   code(1);

cloud/kubernetes/security-compliance/k8s-audit-log-path-set.yaml

@@ -11,7 +11,7 @@ info:
     Configure the Kubernetes API server to include the audit-log-path argument pointing to a secure, writeable directory where audit logs will be stored. Ensure that this directory is properly secured and regularly monitored.
   reference:
     - https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
-  tags: cloud,devops,kubernetes,security,devsecops,api-server
+  tags: cloud,devops,kubernetes,devsecops,api-server,k8s,k8s-cluster-security
 
 variables:
   argument: "audit-log-path"

cloud/kubernetes/security-compliance/k8s-enc-prov-conf.yaml

@@ -11,7 +11,7 @@ info:
     Ensure that the encryption provider configuration file is set up correctly and referenced properly in the API server configuration. Encryption should be enabled and configured according to the security best practices.
   reference:
     - https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
-  tags: cloud,devops,kubernetes,security,devsecops,encryption
+  tags: cloud,devops,kubernetes,devsecops,encryption,k8s,k8s-cluster-security
 
 variables:
   argument: "encryption-provider-config"

cloud/kubernetes/security-compliance/k8s-etcd-cafile-set.yaml

@@ -11,7 +11,7 @@ info:
     Configure etcd to use an etcd-cafile argument that points to a valid CA certificate bundle. This setting should be part of the etcd startup arguments or in its configuration file.
   reference:
     - https://etcd.io/docs/v3.5/op-guide/security/
-  tags: cloud,devops,kubernetes,security,devsecops,etcd
+  tags: cloud,devops,kubernetes,devsecops,etcd,k8s,k8s-cluster-security
 
 variables:
   argument: "etcd-cafile"

cloud/kubernetes/security-compliance/k8s-etcd-files-set.yaml

@@ -11,7 +11,7 @@ info:
     Configure the etcd server to use etcd-certfile and etcd-keyfile arguments that point to valid certificate and key files respectively. This ensures that communications to and from the etcd server are properly encrypted.
   reference:
     - https://etcd.io/docs/v3.4.0/op-guide/security/
-  tags: cloud,devops,kubernetes,security,devsecops,etcd
+  tags: cloud,devops,kubernetes,devsecops,etcd,k8s,k8s-cluster-security
 
 variables:
   argument: "etcd-certfile or etcd-keyfile"

cloud/kubernetes/security-compliance/k8s-ns-usage-check.yaml

@@ -11,7 +11,7 @@ info:
     Implement and use namespaces to organize resources within the Kubernetes cluster effectively. Define access controls and resource quotas on a per-namespace basis.
   reference:
     - https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
-  tags: cloud,devops,kubernetes,security,devsecops,namespaces
+  tags: cloud,devops,kubernetes,devsecops,namespaces,k8s,k8s-cluster-security
 
 variables:
   argument: "namespaces"

cloud/kubernetes/security-compliance/k8s-svc-acct-issuer-set.yaml

@@ -11,7 +11,7 @@ info:
     Set the service-account-issuer argument to a valid issuer URL in the API server's startup arguments or configuration file. This ensures the tokens issued are trusted across services.
   reference:
     - https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
-  tags: cloud,devops,kubernetes,security,devsecops,api-server
+  tags: cloud,devops,kubernetes,devsecops,api-server,k8s,k8s-cluster-security
 
 variables:
   argument: "service-account-issuer"

cloud/kubernetes/security-compliance/k8s-svc-acct-key.yaml

@@ -11,7 +11,7 @@ info:
     Configure the API server to use a service-account-key-file that points to a valid private key used to sign service account tokens. This setting should be part of the API server startup arguments or in its configuration file.
   reference:
     - https://kubernetes.io/docs/admin/kube-apiserver/
-  tags: cloud,devops,kubernetes,security,devsecops,api-server
+  tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security
 
 variables:
   argument: "service-account-key-file"

cloud/kubernetes/security-compliance/k8s-svc-acct-lookup-set.yaml

@@ -11,7 +11,7 @@ info:
     Set the service-account-lookup argument to true in the API server's startup arguments or configuration file to ensure proper verification of service accounts.
   reference:
     - https://kubernetes.io/docs/admin/kube-apiserver/
-  tags: cloud,devops,kubernetes,security,devsecops,api-server
+  tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security
 
 variables:
   argument: "service-account-lookup=true"

cloud/kubernetes/security-compliance/k8s-tls-config-set.yaml

@@ -11,7 +11,7 @@ info:
     Configure the API server to use tls-cert-file and tls-private-key-file that point to a valid certificate and key file respectively. This setting should be part of the API server startup arguments or in its configuration file.
   reference:
     - https://kubernetes.io/docs/admin/kube-apiserver/
-  tags: cloud,devops,kubernetes,security,devsecops,api-server
+  tags: cloud,devops,kubernetes,security,devsecops,api-server,k8s,k8s-cluster-security
 
 variables:
   argument: "tls-cert-file or tls-private-key-file"

profiles/k8s-cluster-security.yml

@@ -0,0 +1,6 @@
+# Nuclei scan profile for scanning aws ACLs
+
+code: true # enable code templates
+
+tags:
+  - k8s-cluster-security # filter templates with "k8s-cluster-security" tags