-
Notifications
You must be signed in to change notification settings - Fork 175
/
replicaset-configauditreport-expected.yaml
198 lines (198 loc) · 8.4 KB
/
replicaset-configauditreport-expected.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
---
apiVersion: aquasecurity.github.io/v1alpha1
kind: ConfigAuditReport
metadata:
generation: 1
labels:
plugin-config-hash: <HASH>
resource-spec-hash: <HASH>
trivy-operator.resource.kind: ReplicaSet
trivy-operator.resource.name: wordpress-84bbf6f4dd
trivy-operator.resource.namespace: default
name: replicaset-wordpress-84bbf6f4dd
namespace: default
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: false
controller: true
kind: ReplicaSet
name: wordpress-84bbf6f4dd
uid: null
report:
scanner:
name: Trivy
vendor: Aqua Security
version: version
summary:
criticalCount: 0
highCount: 2
mediumCount: 3
lowCount: 9
checks:
- checkID: KSV001
title: Can elevate its own privileges
description: A program inside the container can elevate its own privileges and
run as root, which might give the program control over the container and
node.
severity: MEDIUM
category: Kubernetes Security Check
messages:
- Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should set
'securityContext.allowPrivilegeEscalation' to false
remediation: Set 'set containers[].securityContext.allowPrivilegeEscalation' to
'false'.
success: false
- checkID: KSV003
title: "Default capabilities: some containers do not drop all"
description: The container should drop all default capabilities and add only
those that are needed for its execution.
severity: LOW
category: Kubernetes Security Check
messages:
- Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should add
'ALL' to 'securityContext.capabilities.drop'
remediation: Add 'ALL' to containers[].securityContext.capabilities.drop.
success: false
- checkID: KSV011
title: CPU not limited
description: Enforcing CPU limits prevents DoS via resource exhaustion.
severity: LOW
category: Kubernetes Security Check
messages:
- Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should set
'resources.limits.cpu'
remediation: Set a limit value under 'containers[].resources.limits.cpu'.
success: false
- checkID: KSV012
title: Runs as root user
description: Force the running image to run as a non-root user to ensure least
privileges.
severity: MEDIUM
category: Kubernetes Security Check
messages:
- Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should set
'securityContext.runAsNonRoot' to true
remediation: Set 'containers[].securityContext.runAsNonRoot' to true.
success: false
- checkID: KSV014
title: Root file system is not read-only
description: An immutable root file system prevents applications from writing to
their local disk. This can limit intrusions, as attackers will not be
able to tamper with the file system or write foreign executables to
disk.
severity: HIGH
category: Kubernetes Security Check
messages:
- Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should set
'securityContext.readOnlyRootFilesystem' to true
remediation: Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.
success: false
- checkID: KSV015
title: CPU requests not specified
description: When containers have resource requests specified, the scheduler can
make better decisions about which nodes to place pods on, and how to
deal with resource contention.
severity: LOW
category: Kubernetes Security Check
messages:
- Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should set
'resources.requests.cpu'
remediation: Set 'containers[].resources.requests.cpu'.
success: false
- checkID: KSV016
title: Memory requests not specified
description: When containers have memory requests specified, the scheduler can
make better decisions about which nodes to place pods on, and how to
deal with resource contention.
severity: LOW
category: Kubernetes Security Check
messages:
- Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should set
'resources.requests.memory'
remediation: Set 'containers[].resources.requests.memory'.
success: false
- checkID: KSV018
title: Memory not limited
description: Enforcing memory limits prevents DoS via resource exhaustion.
severity: LOW
category: Kubernetes Security Check
messages:
- Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should set
'resources.limits.memory'
remediation: Set a limit value under 'containers[].resources.limits.memory'.
success: false
- checkID: KSV020
title: Runs with UID <= 10000
description: Force the container to run with user ID > 10000 to avoid conflicts
with the host’s user table.
severity: LOW
category: Kubernetes Security Check
messages:
- Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should set
'securityContext.runAsUser' > 10000
remediation: Set 'containers[].securityContext.runAsUser' to an integer > 10000.
success: false
- checkID: KSV021
title: Runs with GID <= 10000
description: Force the container to run with group ID > 10000 to avoid conflicts
with the host’s user table.
severity: LOW
category: Kubernetes Security Check
messages:
- Container 'wordpress' of ReplicaSet 'wordpress-84bbf6f4dd' should set
'securityContext.runAsGroup' > 10000
remediation: Set 'containers[].securityContext.runAsGroup' to an integer > 10000.
success: false
- checkID: KSV030
title: Runtime/Default Seccomp profile not set
description: According to pod security standard 'Seccomp', the RuntimeDefault
seccomp profile must be required, or allow specific additional profiles.
severity: LOW
category: Kubernetes Security Check
messages:
- Either Pod or Container should set
'securityContext.seccompProfile.type' to 'RuntimeDefault'
remediation: Set 'spec.securityContext.seccompProfile.type',
'spec.containers[*].securityContext.seccompProfile' and
'spec.initContainers[*].securityContext.seccompProfile' to
'RuntimeDefault' or undefined.
success: false
- checkID: KSV104
title: Seccomp policies disabled
description: A program inside the container can bypass Seccomp protection policies.
severity: MEDIUM
category: Kubernetes Security Check
messages:
- container "wordpress" of replicaset "wordpress-84bbf6f4dd" in
"default" namespace should specify a seccomp profile
remediation: Specify seccomp either by annotation or by seccomp profile type
having allowed values as per pod security standards
success: false
- checkID: KSV106
title: Container capabilities must only include NET_BIND_SERVICE
description: Containers must drop ALL capabilities, and are only permitted to
add back the NET_BIND_SERVICE capability.
severity: LOW
category: Kubernetes Security Check
messages:
- container should drop all
remediation: Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL'
and only add 'NET_BIND_SERVICE' to
'spec.containers[*].securityContext.capabilities.add'.
success: false
- checkID: KSV118
title: Default security context configured
description: Security context controls the allocation of security parameters for
the pod/container/volume, ensuring the appropriate level of protection.
Relying on default security context may expose vulnerabilities to
potential attacks that rely on privileged access.
severity: HIGH
category: Kubernetes Security Check
messages:
- replicaset wordpress-84bbf6f4dd in default namespace is using the
default security context, which allows root privileges
remediation: To enhance security, it is strongly recommended not to rely on the
default security context. Instead, it is advisable to explicitly define
the required security parameters (such as runAsNonRoot, capabilities,
readOnlyRootFilesystem, etc.) within the security context.
success: false