Home / BeaverDeck / Docs / Insights Guide / Security Insights

Security Insights

High-risk pod privileges, explicit root execution, sensitive literal environment values, and namespace NetworkPolicy presence.

Permissions: viewing checks requires insights: view. Opening a linked object or logs requires the corresponding resource permission, and the BeaverDeck ServiceAccount must be allowed to read the Kubernetes resources used by the check. Suppressing a finding requires insights: edit and affects all users.

Data Evaluated

Active Pods and their security contexts and environment variables, plus NetworkPolicy objects in selected namespaces.

Checks

Check	When it reports	Alert severity
Pod Privileges `pod-privileged`	An active Pod uses `hostNetwork`, `hostPID`, or `hostIPC`, or an init/application container is privileged or explicitly allows privilege escalation.	Warning
Root User `root-user`	The Pod or an init/application container explicitly sets `securityContext.runAsUser: 0`.	Warning
Sensitive Env Vars `sensitive-env-literal`	An active init, application, or ephemeral container defines a non-empty literal environment value whose name contains `PASSWORD`, `PASSWD`, `SECRET`, `TOKEN`, `API_KEY`, `PRIVATE_KEY`, or `ACCESS_KEY`, case-insensitively.	Warning
NetworkPolicy Coverage `network-policy-coverage`	A selected namespace has active Pods but contains no NetworkPolicy objects.	Warning

Open an individual check for risk context, recommended response, and limitations. Passing checks are visible when Show all checks is enabled in BeaverDeck.