csi-azuredisk-node
| DaemonSet | kube-system
| All | This exclusion applies to core DaemonSets in the kube-system namespace on Azure Kubernetes Service (AKS), such as CSI drivers, kube-proxy, and monitoring agents like omsagent. These components are essential for the platform's storage, networking, and telemetry. |
csi-azurefile-node
| DaemonSet | kube-system
| All |
csi-azurefile-node-win
| DaemonSet | kube-system
| All |
kube-proxy
| DaemonSet | kube-system
| All |
omsagent
| DaemonSet | kube-system
| All |
omsagent-win
| DaemonSet | kube-system
| All |
coredns
| Deployment | kube-system
| All | This exclusion covers critical system Deployments and DaemonSets in the kube-system namespace on AKS, such as coredns, metrics-server, and cloud-specific agents. These components are essential for core cluster functionality like DNS resolution, metrics collection, and node management. |
coredns-autoscaler
| Deployment | kube-system
| All |
konnectivity-agent
| Deployment | kube-system
| All |
metrics-server
| Deployment | kube-system
| All |
csi-azuredisk-node-win
| DaemonSet | kube-system
| All |
azure-ip-masq-agent
| DaemonSet | kube-system
| All |
cloud-node-manager
| DaemonSet | kube-system
| All |
cloud-node-manager-windows
| DaemonSet | kube-system
| All |
omsagent-rs
| Deployment | kube-system
| All |
azure-ip-masq-agent-[A-Za-z0-9]+
| Pod | kube-system
| All | This exclusion applies to dynamically named system Pods in the kube-system namespace on AKS, covering core components like DNS, storage drivers, telemetry agents, and networking services. These Pods are managed by the platform and often use auto-generated names. The exclusion ensures that posture checks do not interfere with essential infrastructure workloads required for the cluster’s stable and secure operation. |
cloud-node-manager-[A-Za-z0-9]+
| Pod | kube-system
| All |
coredns-autoscaler--[A-Za-z0-9]+-[A-Za-z0-9]+
| Pod | kube-system
| All |
csi-azuredisk-node-[A-Za-z0-9]+
| Pod | kube-system
| All |
csi-azurefile-node-[A-Za-z0-9]+
| Pod | kube-system
| All |
konnectivity-agent-[A-Za-z0-9]+-[A-Za-z0-9]+
| Pod | kube-system
| All |
omsagent-[A-Za-z0-9]+
| Pod | kube-system
| All |
omsagent-rs-[A-Za-z0-9]+-[A-Za-z0-9]+
| Pod | kube-system
| All |
coredns-autoscaler-[A-Za-z0-9]+
| ReplicaSet | kube-system
| All | This exclusion targets ReplicaSets in the kube-system namespace on AKS that are automatically created to support essential services like DNS, metrics, and telemetry. These system-managed components often have dynamic names and are tightly coupled with the platform’s core functionality. |
coredns-[A-Za-z0-9]+
| ReplicaSet | kube-system
| All |
konnectivity-agent-[A-Za-z0-9]+
| ReplicaSet | kube-system
| All |
metrics-server-[A-Za-z0-9]+
| ReplicaSet | kube-system
| All |
omsagent-rs-[A-Za-z0-9]+
| ReplicaSet | kube-system
| All |
azure-cloud-provider
| Service account | kube-system
| All | This exclusion includes various system service accounts, ConfigMaps, webhook configurations, and identity principals that are essential for the core functionality and control plane operations of AKS. These components are either managed by the platform or required for secure communication, node provisioning, and cluster automation. |
cloud-node-manager
| Service account | kube-system
| All |
coredns-autoscaler
| Service account | kube-system
| All |
csi-azuredisk-node-sa
| Service account | kube-system
| All |
csi-azurefile-node-sa
| Service account | kube-system
| All |
omsagent
| Service account | kube-system
| All |
kube-root-ca.crt
| ConfigMap | default
| All |
kube-root-ca.crt
| ConfigMap | kube-node-lease
| All |
kube-root-ca.crt
| ConfigMap | kube-public
| All |
azure-ip-masq-agent-config-reconciled
| ConfigMap | kube-system
| All |
cluster-autoscaler-status
| ConfigMap | kube-system
| All |
container-azm-ms-aks-k8scluster
| ConfigMap | kube-system
| All |
coredns
| ConfigMap | kube-system
| All |
coredns-autoscaler
| ConfigMap | kube-system
| All |
coredns-custom
| ConfigMap | kube-system
| All |
extension-apiserver-authentication
| ConfigMap | kube-system
| All |
kube-root-ca.crt
| ConfigMap | kube-system
| All |
omsagent-rs-config
| ConfigMap | kube-system
| All |
overlay-upgrade-data
| ConfigMap | kube-system
| All |
aks-webhook-admission-controller
| MutatingWebhookConfiguration | N/A
| All |
aks-node-mutating-webhook
| MutatingWebhookConfiguration | N/A
| All |
aks-node-validating-webhook
| ValidatingWebhookConfiguration | N/A
| All |
system:nodes
| Group | N/A
| All |
clusterAdmin
| User | N/A
| All |
kube-dns
| Service | kube-system
| All | This exclusion applies to essential system services in the kube-system namespace, such as kube-dns and metrics-server. These services provide core functionality like DNS resolution and resource monitoring within the cluster. |
metrics-server
| Service | kube-system
| All |
kubescape
| ConfigMap | default
| All | This exclusion covers key resources in the default namespace, such as the default service account, the default namespace object, and a ConfigMap used by Kubescape. These are foundational elements often used for initial workloads, testing, or system defaults. The exclusion helps prevent unnecessary alerts on baseline or utility resources that are commonly present in most clusters. |
default
| Namespace | N/A
| All |
default
| Service account | default
| All |
aws-node-[A-Za-z0-9]+
| Pod | kube-system
| All | This exclusion applies to a broad range of default and system-managed resources in an Amazon Elastic Kubernetes Service (EKS) cluster. It includes Pods, Deployments, DaemonSets, service accounts, and identity bindings essential for networking (aws-node), storage (ebs-csi), monitoring (metrics-server), and cluster administration. These components are managed by AWS and form the backbone of EKS cluster functionality. The exclusion ensures that posture checks do not generate unnecessary alerts for trusted, platform-integrated services. |
kube-proxy-[A-Za-z0-9]+
| Pod | kube-system
| All |
metrics-server-[A-Za-z0-9]+-[A-Za-z0-9]+
| Pod | kube-system
| All |
aws-node
| DaemonSet | kube-system
| All |
eventrouter
| Deployment | kube-system
| All |
ebs-csi-controller
| Deployment | kube-system
| All |
ebs-csi-node
| DaemonSet | kube-system
| All |
ebs-csi-node-windows
| DaemonSet | kube-system
| All |
metrics-server
| Deployment | kube-system
| All |
coredns-[A-Za-z0-9]+
| ReplicaSet | kube-system
| All |
metrics-server-[A-Za-z0-9]+
| ReplicaSet | kube-system
| All |
kube-dns
| Service | kube-system
| All |
aws-cloud-provider
| Service account | kube-system
| All |
aws-node
| Service account | kube-system
| All |
eks-admin
| Service account | kube-system
| All |
eks-vpc-resource-controller
| Service account | kube-system
| All |
metrics-server
| Service account | kube-system
| All |
tagging-controller
| Service account | kube-system
| All |
vpc-resource-controller
| Service account | kube-system
| All |
eventrouter
| Service account | kube-system
| All |
ebs-csi-controller-sa
| Service account | kube-system
| All |
ebs-csi-node-sa
| Service account | kube-system
| All |
eks:fargate-manager
| User | N/A
| All |
eks:addon-manager
| User | N/A
| All |
eks:certificate-controller
| User | N/A
| All |
eks:node-manager
| User | N/A
| All |
system:masters
| Group | N/A
| All |
default
| Service account | kube-node-lease
| All | This exclusion applies to the default service account in the kube-node-lease namespace on Google Kubernetes Engine (GKE). Kubernetes uses this namespace to manage node heartbeat leases. Excluding this resource helps avoid unnecessary alerts on system-managed identities that support node health tracking and cluster stability. |
default
| Service account | kube-public
| All | This exclusion targets the default service account in the kube-public namespace on GKE. This namespace is used for publicly accessible cluster information. Excluding this resource prevents unnecessary alerts on a default, system-managed identity that is not intended for sensitive operations. |
coredns-[A-Za-z0-9]+-[A-Za-z0-9]+
| Pod | kube-system
| All | This exclusion covers a wide range of GKE system-managed resources within the kube-system namespace, including Pods, DaemonSets, Deployments, Services, and CronJobs. These components are critical for networking, DNS, logging, GPU support, autoscaling, and internal communication within the cluster. Excluding them ensures that posture checks do not interfere with default GKE operations, which are provisioned and maintained by the platform, for reliable and secure cluster performance. |
kube-proxy-[A-Za-z0-9-]+
| Pod | kube-system
| All |
etcd-.*
| Pod | kube-system
| All |
metadata-proxy-v[0-9.]+
| DaemonSet | kube-system
| All |
node-local-dns
| DaemonSet | kube-system
| All |
gke-metrics-agent.*
| DaemonSet | kube-system
| All |
pdcsi-node-windows
| DaemonSet | kube-system
| All |
anetd
| DaemonSet | kube-system
| All |
netd
| DaemonSet | kube-system
| All |
fluentbit-gke-big
| DaemonSet | kube-system
| All |
fluentbit-gke-small
| DaemonSet | kube-system
| All |
fluentbit-gke-max
| DaemonSet | kube-system
| All |
fluentbit-gke.*
| DaemonSet | kube-system
| All |
nccl-fastsocket-installer
| DaemonSet | kube-system
| All |
filestore-node
| DaemonSet | kube-system
| All |
pdcsi-node
| DaemonSet | kube-system
| All |
ip-masq-agent
| DaemonSet | kube-system
| All |
anetd-win
| DaemonSet | kube-system
| All |
gke-metadata-server
| DaemonSet | kube-system
| All |
gke-metrics-agent-windows
| DaemonSet | kube-system
| All |
kube-proxy
| DaemonSet | kube-system
| All |
nvidia-gpu-device-plugin
| DaemonSet | kube-system
| All |
nvidia-gpu-device-plugin-large
| DaemonSet | kube-system
| All |
nvidia-gpu-device-plugin-medium
| DaemonSet | kube-system
| All |
image-package-extractor
| DaemonSet | kube-system
| All |
image-package-extractor-cleanup
| CronJob | kube-system
| All |
nvidia-gpu-device-plugin-small
| DaemonSet | kube-system
| All |
metrics-server
| Service | kube-system
| All |
kube-dns
| Deployment | kube-system
| All |
egress-nat-controller
| Deployment | kube-system
| All |
event-exporter-gke
| Deployment | kube-system
| All |
antrea-controller
| Deployment | kube-system
| All |
antrea-controller-horizontal-autoscaler
| Deployment | kube-system
| All |
kube-dns-autoscaler
| Deployment | kube-system
| All |
metrics-server-v[0-9.]+
| Deployment | kube-system
| All |
konnectivity-agent-autoscaler
| Deployment | kube-system
| All |
fluentd-elasticsearch
| DaemonSet | kube-system
| All |
konnectivity-agent
| Deployment | kube-system
| All |
l7-default-backend
| Deployment | kube-system
| All |
ks-sa
| Service account | kubescape
| | This exclusion applies to the ks-sa service account in the kubescape namespace, which is used by Kubescape to run security posture scans, collect cluster configuration data, and report compliance results. |
default
| Service account | kubescape
| Automount of default service account token Automount of service account token Namespace without custom service account
| This exclusion targets the default service account in the kubescape namespace, which may be used by Kubescape components during initialization or auxiliary operations. Allowing this service account to operate in alert-only mode ensures that background tasks or default behaviors tied to the namespace do not trigger posture violations. This supports smoother operation of the Kubescape system without compromising visibility. |
node-agent
| DaemonSet | kubescape
| Use of hostPath mounts Use of writable hostPath volumes Automount of service account token Configured liveness probe Configured readiness probe Use of Docker socket in containers Immutable container filesystem Ingress and egress policy enforcement Insecure capabilities Linux hardening Non-root containers Privilege escalation control Privilege escalation
| This exclusion allows the node-agent DaemonSet in the kubescape namespace to function with unrestricted network access and elevated privileges. As a core component responsible for collecting runtime and host-level data across nodes, this DaemonSet requires broad permissions and connectivity to perform deep inspection and send results. |
kubescape
| Deployment | kubescape
| | This exclusion allows key Kubescape components, such as kubescape, operator, gateway, kubevuln, and kollector, to operate with unrestricted network traffic. These components require both inbound and outbound connectivity to perform tasks like data collection, vulnerability scanning, synchronization, and communication with external services. The exclusion ensures their functionality is not limited by network traffic restrictions. |
operator
| Deployment | kubescape
| |
gateway
| Deployment | kubescape
| |
kubevuln
| Deployment | kubescape
| |
kollector
| StatefulSet | kubescape
| |
kubescape
| Deployment | kubescape
| Configured liveness probe Configured readiness probe NET_RAW capability drop configuration NetworkPolicy labels Host PID/IPC privileges Immutable container filesystem Ingress and egress policy enforcement Label usage for resources Linux hardening Non-root containers Privilege escalation control Privilege escalation Secrets in environment variables fsGroup value fsGroup change policy value procMount default seccompProfile seccompProfile RuntimeDefault SELinux options configuration Supplemental groups configuration Sysctl parameter configuration
| This exclusion applies to key Kubescape components, including deployments like kubescape, operator, gateway, synchronizer, kubevuln, and otel-collector, as well as the kollector StatefulSet and node-agent DaemonSet. The exclusion allows these components to run without being blocked by security context posture controls. These workloads may require elevated permissions or non-standard configurations to perform critical tasks like scanning, telemetry, synchronization, and storage. |
operator
| Deployment | kubescape
| Configured liveness probe Configured readiness probe NET_RAW capability drop configuration NetworkPolicy labels Host PID/IPC privileges Immutable container filesystem Ingress and egress policy enforcement Label usage for resources Linux hardening Non-root containers Privilege escalation control Privilege escalation Secrets in environment variables fsGroup value fsGroup change policy value procMount default seccompProfile seccompProfile RuntimeDefault SELinux options configuration Supplemental groups configuration Sysctl parameter configuration
|
gateway
| Deployment | kubescape
| Configured liveness probe Configured readiness probe NET_RAW capability drop configuration NetworkPolicy labels Host PID/IPC privileges Immutable container filesystem Ingress and egress policy enforcement Label usage for resources Linux hardening Non-root containers Privilege escalation control Privilege escalation Secrets in environment variables fsGroup value fsGroup change policy value procMount default seccompProfile seccompProfile RuntimeDefault SELinux options configuration Supplemental groups configuration Sysctl parameter configuration
|
synchronizer
| Deployment | kubescape
| Configured liveness probe Configured readiness probe NET_RAW capability drop configuration NetworkPolicy labels Host PID/IPC privileges Immutable container filesystem Ingress and egress policy enforcement Label usage for resources Linux hardening Non-root containers Privilege escalation control Privilege escalation Secrets in environment variables fsGroup value fsGroup change policy value procMount default seccompProfile seccompProfile RuntimeDefault SELinux options configuration Supplemental groups configuration Sysctl parameter configuration
|
kubevuln
| Deployment | kubescape
| Configured liveness probe Configured readiness probe NET_RAW capability drop configuration NetworkPolicy labels Host PID/IPC privileges Immutable container filesystem Ingress and egress policy enforcement Label usage for resources Linux hardening Non-root containers Privilege escalation control Privilege escalation Secrets in environment variables fsGroup value fsGroup change policy value procMount default seccompProfile seccompProfile RuntimeDefault SELinux options configuration Supplemental groups configuration Sysctl parameter configuration
|
kollector
| StatefulSet | kubescape
| Configured liveness probe Configured readiness probe NET_RAW capability drop configuration NetworkPolicy labels Host PID/IPC privileges Immutable container filesystem Ingress and egress policy enforcement Label usage for resources Linux hardening Non-root containers Privilege escalation control Privilege escalation Secrets in environment variables fsGroup value fsGroup change policy value procMount default seccompProfile seccompProfile RuntimeDefault SELinux options configuration Supplemental groups configuration Sysctl parameter configuration
|
storage
| Deployment | kubescape
| Configured liveness probe Configured readiness probe NET_RAW capability drop configuration NetworkPolicy labels Host PID/IPC privileges Immutable container filesystem Ingress and egress policy enforcement Label usage for resources Linux hardening Non-root containers Privilege escalation control Privilege escalation Secrets in environment variables fsGroup value fsGroup change policy value procMount default seccompProfile seccompProfile RuntimeDefault SELinux options configuration Supplemental groups configuration Sysctl parameter configuration
|
otel-collector
| Deployment | kubescape
| Configured liveness probe Configured readiness probe NET_RAW capability drop configuration NetworkPolicy labels Host PID/IPC privileges Immutable container filesystem Ingress and egress policy enforcement Label usage for resources Linux hardening Non-root containers Privilege escalation control Privilege escalation Secrets in environment variables fsGroup value fsGroup change policy value procMount default seccompProfile seccompProfile RuntimeDefault SELinux options configuration Supplemental groups configuration Sysctl parameter configuration
|
node-agent
| DaemonSet | kubescape
| Configured liveness probe Configured readiness probe NET_RAW capability drop configuration NetworkPolicy labels Host PID/IPC privileges Immutable container filesystem Ingress and egress policy enforcement Label usage for resources Linux hardening Non-root containers Privilege escalation control Privilege escalation Secrets in environment variables fsGroup value fsGroup change policy value procMount default seccompProfile seccompProfile RuntimeDefault SELinux options configuration Supplemental groups configuration Sysctl parameter configuration
|
host-scanner
| DaemonSet | kubescape-host-scanner
| All | This exclusion allows the host-scanner DaemonSet in the kubescape and kubescape-host-scanner namespaces to operate without being blocked by posture controls. The host scanner requires elevated access to inspect node-level configurations and vulnerabilities. Excluding it ensures that Kubescape’s deep host-level scanning can run as intended. |
host-scanner
| DaemonSet | kubescape
| All |
otel-collector
| Deployment | kubescape
| Configured liveness probe Configured readiness probe Immutable container filesystem Ingress and egress policy enforcement Linux hardening
| This exclusion applies to the otel-collector deployment to ensure that OpenTelemetry (OTel), a critical observability component used for collecting and exporting telemetry data (traces, metrics, and logs), remains functional. This is essential for maintaining visibility into the system’s behavior. |
kubescape
| Deployment | kubescape-prometheus
| Ingress and egress policy enforcement | This exclusion allows the kubescape deployment in the kubescape-prometheus namespace to operate with unrestricted outbound network access. As this deployment handles Prometheus integration, it may need to communicate externally for metrics scraping or telemetry purposes. The exclusion ensures that monitoring capabilities remain functional without being limited by network restrictions. |
kubescape
| Deployment | kubescape-prometheus
| NET_RAW capability drop configuration Immutable container filesystem Linux hardening Non-root containers Privilege escalation control Privilege escalation fsGroup value fsGroup change policy value procMount default seccompProfile seccompProfile RuntimeDefault SELinux options configuration Supplemental groups configuration Sysctl parameter configuration
| This exclusion allows the kubescape deployment in the kubescape-prometheus namespace to run with a less restrictive security context. As this deployment supports Prometheus integration, it may require permissions or configurations that do not fully align with strict hardening standards. |
kubescape-sa
| Service account | kubescape
| | This exclusion allows the kubescape-sa service account in the kubescape namespace to operate with elevated or broad permissions. This service account is used by Kubescape components that need access to cluster resources for scanning and analysis. |
ks-sa
| Service account | kubescape
| Access control for container service accounts (v1) Automount of service account token Non-root containers Secret access permissions (v1) Secrets in environment variables
| This exclusion allows multiple service accounts used by Kubescape components, such as node-agent, storage, synchronizer, and kubevuln, to operate with broader access and configuration flexibility. These service accounts support scanning, data collection, storage, and coordination tasks across the cluster. The exclusion ensures that these functions are not hindered by strict identity or access limitations, enabling Kubescape to perform comprehensive security assessments. |
storage
| Service account | kubescape
| Access control for container service accounts (v1) Automount of service account token Non-root containers Secret access permissions (v1) Secrets in environment variables
|
kubescape-sa
| Service account | kubescape
| Access control for container service accounts (v1) Automount of service account token Non-root containers Secret access permissions (v1) Secrets in environment variables
|
node-agent
| Service account | kubescape
| Access control for container service accounts (v1) Automount of service account token Non-root containers Secret access permissions (v1) Secrets in environment variables
|
kubevuln
| Service account | kubescape
| Access control for container service accounts (v1) Automount of service account token Non-root containers Secret access permissions (v1) Secrets in environment variables
|
storage-sa
| Service account | kubescape
| Access control for container service accounts (v1) Automount of service account token Non-root containers Secret access permissions (v1) Secrets in environment variables
|
synchronizer
| Service account | kubescape
| Access control for container service accounts (v1) Automount of service account token Non-root containers Secret access permissions (v1) Secrets in environment variables
|
node-agent-service-account
| Service account | kubescape
| Access control for container service accounts (v1) Automount of service account token Non-root containers Secret access permissions (v1) Secrets in environment variables
|
konnectivity-agent-cpha
| Service account | kube-system
| All | This exclusion applies to a wide set of default Kubernetes controller service accounts in the kube-system namespace. These service accounts are used by core controllers and system processes that manage workloads, resources, and cluster state, such as deployment controllers, node managers, DNS, garbage collection, and volume provisioning. |
metrics-server
| Service account | kube-system
| All |
endpointslicemirroring-controller
| Service account | kube-system
| All |
replicaset-controller
| Service account | kube-system
| All |
endpointslice-controller
| Service account | kube-system
| All |
service-account-controller
| Service account | kube-system
| All |
namespace-controller
| Service account | kube-system
| All |
clusterrole-aggregation-controller
| Service account | kube-system
| All |
generic-garbage-collector
| Service account | kube-system
| All |
certificate-controller
| Service account | kube-system
| All |
daemon-set-controller
| Service account | kube-system
| All |
cloud-provider
| Service account | kube-system
| All |
ephemeral-volume-controller
| Service account | kube-system
| All |
root-ca-cert-publisher
| Service account | kube-system
| All |
bootstrap-signer
| Service account | kube-system
| All |
expand-controller
| Service account | kube-system
| All |
disruption-controller
| Service account | kube-system
| All |
ttl-after-finished-controller
| Service account | kube-system
| All |
job-controller
| Service account | kube-system
| All |
pv-protection-controller
| Service account | kube-system
| All |
persistent-volume-binder
| Service account | kube-system
| All |
pvc-protection-controller
| Service account | kube-system
| All |
statefulset-controller
| Service account | kube-system
| All |
deployment-controller
| Service account | kube-system
| All |
node-controller
| Service account | kube-system
| All |
cronjob-controller
| Service account | kube-system
| All |
resourcequota-controller
| Service account | kube-system
| All |
endpoint-controller
| Service account | kube-system
| All |
pod-garbage-collector
| Service account | kube-system
| All |
ttl-controller
| Service account | kube-system
| All |
token-cleaner
| Service account | kube-system
| All |
kube-dns
| Service account | kube-system
| All |
attachdetach-controller
| Service account | kube-system
| All |
kube-proxy
| Service account | kube-system
| All |
konnectivity-agent
| Service account | kube-system
| All |
replication-controller
| Service account | kube-system
| All |
default
| Service account | kube-system
| All |
service-controller
| Service account | kube-system
| All |
kube-dns-autoscaler
| Service account | kube-system
| All |
netd
| Service account | kube-system
| All |
metadata-proxy
| Service account | kube-system
| All |
antrea-controller
| Service account | kube-system
| All |
cilium
| Service account | kube-system
| All |
node-local-dns
| Service account | kube-system
| All |
gke-metrics-agent
| Service account | kube-system
| All |
egress-nat-controller
| Service account | kube-system
| All |
antrea-agent
| Service account | kube-system
| All |
event-exporter-sa
| Service account | kube-system
| All |
antrea-cpha
| Service account | kube-system
| All |
fluentbit-gke
| Service account | kube-system
| All |
pdcsi-node-sa
| Service account | kube-system
| All |
ip-masq-agent
| Service account | kube-system
| All |
filestorecsi-node-sa
| Service account | kube-system
| All |
gke-metadata-server
| Service account | kube-system
| All |
coredns
| Service account | kube-system
| All |
horizontal-pod-autoscaler
| Service account | kube-system
| All |
storage-provisioner
| Service account | kube-system
| All |
system:vpa-recommender
| User | kube-system
| All | This exclusion applies to internal Kubernetes users in the kube-system namespace, such as system:vpa-recommender and system:anet-operator. These users are associated with automated system components responsible for resource recommendations and network management. |
system:anet-operator
| User | kube-system
| All |
kube-node-lease
| Namespace | N/A
| All | This exclusion applies to the kube-node-lease namespace in a Minikube environment. Kubernetes uses this namespace to track node heartbeats and ensure node availability. |
kube-public
| Namespace | N/A
| All | This exclusion applies to the kube-public namespace in a Minikube environment. This namespace is used for publicly accessible, read-only cluster information shared across users and components. |
kube-proxy-.*
| Pod | kube-system
| All | This exclusion applies to system-managed resources in the kube-system namespace within a Minikube environment. It includes core components such as the DNS, scheduler, controller manager, proxy, storage provisioner, and GPU or TPU plugins. These resources are essential for Minikube’s local cluster functionality and are automatically provisioned. |
coredns
| Deployment | kube-system
| All |
sealed-secrets-controller
| Deployment | kube-system
| All |
tpu-device-plugin
| DaemonSet | kube-system
| All |
runsc-metric-server
| DaemonSet | kube-system
| All |
nvidia-gpu-.*
| DaemonSet | kube-system
| All |
kube-system
| Namespace | N/A
| All |
storage-provisioner
| Pod | kube-system
| All |
kube-scheduler-.*
| Pod | kube-system
| All |
kube-controller-manager-.*
| Pod | kube-system
| All |
kubescape
| Namespace | N/A
| All | This exclusion applies to the kubescape namespace, which hosts Kubescape’s own components and services. |
otel-collector
| Deployment | kubescape
| Automount of service account token | This exclusion applies to the otel-collector deployment in the kubescape namespace. OpenTelemetry Collector is responsible for gathering and exporting observability data such as metrics, logs, and traces. |
kube-apiserver-.*
| Pod | kube-system
| Use of hostPath mounts Use of hostPath mounts exposing credentials Automount of service account token Host network access Immutable container filesystem Ingress and egress policy enforcement Kubernetes common labels usage Non-root containers Resources CPU limits Resources memory limits Privilege escalation control
| This exclusion applies to the kube-apiserver Pod in the kube-system namespace. It accounts for the specific configurations and elevated privileges required by the API server to manage and coordinate cluster activity. These settings may not align with strict policy checks but are essential for the intended functionality of the API server. |
kubevuln-schedule-.*
| CronJob | kubescape
| Configured liveness probe Configured readiness probe NET_RAW capability drop configuration NetworkPolicy labels Immutable container filesystem Ingress and egress policy enforcement Kubernetes common labels usage Label usage for resources Linux hardening Non-root containers Privilege escalation control CronJobs usage Privilege escalation fsGroup value fsGroup change policy value procMount default seccompProfile seccompProfile RuntimeDefault SELinux options configuration Supplemental groups configuration Sysctl parameter configuration
| This exclusion applies to several CronJobs in the kubescape namespace, which are responsible for scheduling vulnerability and registry scans. These jobs require specific configurations, permissions, and runtime behaviors. |
kubescape-registry-scan-.*
| CronJob | kubescape
| Configured liveness probe Configured readiness probe NET_RAW capability drop configuration NetworkPolicy labels Immutable container filesystem Ingress and egress policy enforcement Kubernetes common labels usage Label usage for resources Linux hardening Non-root containers Privilege escalation control CronJobs usage Privilege escalation fsGroup value fsGroup change policy value procMount default seccompProfile seccompProfile RuntimeDefault SELinux options configuration Supplemental groups configuration Sysctl parameter configuration
|
kubevuln-scheduler
| CronJob | kubescape
| Configured liveness probe Configured readiness probe NET_RAW capability drop configuration NetworkPolicy labels Immutable container filesystem Ingress and egress policy enforcement Kubernetes common labels usage Label usage for resources Linux hardening Non-root containers Privilege escalation control CronJobs usage Privilege escalation fsGroup value fsGroup change policy value procMount default seccompProfile seccompProfile RuntimeDefault SELinux options configuration Supplemental groups configuration Sysctl parameter configuration
|
kubescape-scheduler
| CronJob | kubescape
| Configured liveness probe Configured readiness probe NET_RAW capability drop configuration NetworkPolicy labels Immutable container filesystem Ingress and egress policy enforcement Kubernetes common labels usage Label usage for resources Linux hardening Non-root containers Privilege escalation control CronJobs usage Privilege escalation fsGroup value fsGroup change policy value procMount default seccompProfile seccompProfile RuntimeDefault SELinux options configuration Supplemental groups configuration Sysctl parameter configuration
|
operator
| Service account | kubescape
| Access control for container service accounts (v1) Secret access permissions (v1) Excessive delete permissions (v1)
| This exclusion covers various service accounts and system components across the kube-system, gmp-system, and gmp-public namespaces. These accounts and workloads support core Kubernetes operations, routing, metrics collection, alerting, and policy enforcement. |
kubescape
| Service account | kubescape
| Access control for container service accounts (v1) Secret access permissions (v1) Excessive delete permissions (v1)
|
kollector
| Service account | kubescape
| Access control for container service accounts (v1) Secret access permissions (v1) Excessive delete permissions (v1)
|
storage-aggregated-apiserver-sa
| Service account | kubescape
| Access control for container service accounts (v1) Secret access permissions (v1) Excessive delete permissions (v1)
|
storage
| Service account | kubescape
| Automount of service account token |
node-agent
| Service account | kubescape
| Automount of service account token |
kube-controller-manager
| Service account | kube-system
| All |
kube-scheduler
| Service account | kube-system
| All |
route-controller
| Service account | kube-system
| All |
superadmin
| Service account | kube-system
| All |
pkgextract-service
| Service account | kube-system
| All |
default
| Service account | gmp-system
| All |
collector
| Service account | gmp-system
| All |
operator
| Service account | gmp-system
| All |
collector
| Service account | gmp-public
| All |
alertmanager
| StatefulSet | gmp-system
| All |
collector
| DaemonSet | gmp-system
| All |
rule-evaluator
| Deployment | gmp-system
| All |
gmp-operator
| Deployment | gmp-system
| All |
gke-metrics-agent-conf
| ConfigMap | kube-system
| All |
storage-apiserver
| Deployment | kubescape
| Automount of service account token Configured liveness probe Configured readiness probe NetworkPolicy labels Immutable container filesystem Ingress and egress policy enforcement Label usage for resources Linux hardening
| This exclusion applies to the storage-apiserver deployment in the kubescape namespace. This component is responsible for managing storage-related APIs used by Kubescape. It requires specific configurations for network access, security context, and permissions, which may not fully align with strict hardening rules. |
ca-validate-cfg
| ValidatingWebhookConfiguration | N/A
| All | This exclusion applies to various system-level webhook configurations, API services, and namespaces such as kube-system, gmp-system, and gmp-public. These resources are managed by the platform (for example, GKE) to enforce network policies, resource limits, metrics, and admission control logic. Their structure and permissions are defined by the underlying system, and this exclusion helps avoid posture violations on trusted, platform-integrated components. |
flowcontrol-guardrails.config.common-webhooks.networking.gke.io
| ValidatingWebhookConfiguration | N/A
| All |
validation-webhook.snapshot.storage.gke.io
| ValidatingWebhookConfiguration | N/A
| All |
gmp-operator.gmp-system.monitoring.googleapis.com
| ValidatingWebhookConfiguration | N/A
| All |
warden-validating.config.common-webhooks.networking.gke.io
| ValidatingWebhookConfiguration | N/A
| All |
nodelimit.config.common-webhooks.networking.gke.io
| ValidatingWebhookConfiguration | N/A
| All |
gkepolicy.config.common-webhooks.networking.gke.io
| ValidatingWebhookConfiguration | N/A
| All |
validation-webhook.snapshot.storage.k8s.io
| ValidatingWebhookConfiguration | N/A
| All |
v1beta1.metrics.k8s.io
| API Service | N/A
| All |
pod-ready.config.common-webhooks.networking.gke.io
| MutatingWebhookConfiguration | N/A
| All |
ca-mutate-cfg
| MutatingWebhookConfiguration | N/A
| All |
neg-annotation.config.common-webhooks.networking.gke.io
| MutatingWebhookConfiguration | N/A
| All |
mutate-scheduler-profile.config.common-webhooks.networking.gke.io
| MutatingWebhookConfiguration | N/A
| All |
sasecret-redacter.config.common-webhooks.networking.gke.io
| MutatingWebhookConfiguration | N/A
| All |
workload-defaulter.config.common-webhooks.networking.gke.io
| MutatingWebhookConfiguration | N/A
| All |
admissionwebhookcontroller.config.common-webhooks.networking.gke.io
| MutatingWebhookConfiguration | N/A
| All |
gke-vpa-webhook-config
| MutatingWebhookConfiguration | N/A
| All |
filestorecsi-mutation-webhook.storage.k8s.io
| MutatingWebhookConfiguration | N/A
| All |
kube-system
| Namespace | N/A
| All |
gmp-public
| Namespace | N/A
| All |
gmp-system
| Namespace | N/A
| All |
system:clustermetrics
| User | N/A
| All | This exclusion covers system-defined users and groups such as system:kube-scheduler, system:kube-controller-manager, and the system:masters group. These identities are integral to Kubernetes control plane operations and cluster administration. The exclusion ensures that posture checks do not flag or disrupt the predefined access roles and privileges required for stable cluster management. |
system:controller:glbc
| User | N/A
| All |
system:l7-lb-controller
| User | N/A
| All |
system:managed-certificate-controller
| User | N/A
| All |
system:gke-common-webhooks
| User | N/A
| All |
system:kube-scheduler
| User | N/A
| All |
system:gcp-controller-manager
| User | N/A
| All |
system:resource-tracker
| User | N/A
| All |
system:storageversionmigrator
| User | N/A
| All |
system:kube-controller-manager
| User | N/A
| All |
system:kubestore-collector
| User | N/A
| All |
system:masters
| Group | N/A
| All |
system:kube-scheduler
| User | N/A
| All |
system:kube-controller-manager
| User | N/A
| All |
system:masters
| Group | N/A
| All |