Test #5
Test #5
Conversation
| kind: Pod | ||
| metadata: | ||
| name: test | ||
| spec: |
There was a problem hiding this comment.
📝 [kubescape] reported by reviewdog 🐶
C-0061 Pods in default namespace:
It is recommended to avoid running PODs in cluster without explicit namespace assignment. This control identifies all the PODs running in the default namespace.
Remediation: Create necessary namespaces and move all the PODs from default namespace there.
| spec: | |
| namespace: YOUR_NAMESPACE | |
| spec: |
| spec: | ||
| containers: | ||
| - name: nginx1 | ||
| image: nginx |
There was a problem hiding this comment.
📝 [kubescape] reported by reviewdog 🐶
C-0018 Configured readiness probe:
Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.
Remediation: Ensure Readiness probes are configured wherever possible.
| image: nginx | |
| image: nginx | |
| readinessProbe: YOUR_VALUE |
| spec: | ||
| containers: | ||
| - name: nginx1 | ||
| image: nginx |
There was a problem hiding this comment.
📝 [kubescape] reported by reviewdog 🐶
C-0017 Immutable container filesystem:
Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.
Remediation: Set the filesystem of the container to read-only when possible (POD securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.
| image: nginx | |
| image: nginx | |
| securityContext: | |
| readOnlyRootFilesystem: true |
| spec: | ||
| containers: | ||
| - name: nginx1 | ||
| image: nginx |
There was a problem hiding this comment.
C-0009 Resource limits:
CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.
Remediation: Define LimitRange and Resource Limits in the namespace or in the deployment/POD yamls.
| image: nginx | |
| image: nginx | |
| resources: | |
| limits: | |
| cpu: YOUR_VALUE |
| image: nginx | |
| image: nginx | |
| resources: | |
| limits: | |
| memory: YOUR_VALUE |
| spec: | ||
| containers: | ||
| - name: nginx1 | ||
| image: nginx |
There was a problem hiding this comment.
C-0056 Configured liveness probe:
Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.
Remediation: Ensure Liveness probes are configured wherever possible.
| image: nginx | |
| image: nginx | |
| livenessProbe: YOUR_VALUE |
| spec: | ||
| containers: | ||
| - name: nginx1 | ||
| image: nginx |
There was a problem hiding this comment.
C-0016 Allow privilege escalation:
Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.
Remediation: If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false.
| image: nginx | |
| image: nginx | |
| securityContext: | |
| allowPrivilegeEscalation: false |
| @@ -0,0 +1,8 @@ | |||
| apiVersion: v1 | |||
There was a problem hiding this comment.
C-0030 Ingress and Egress blocked:
Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new PODs, and then enable sources/destinations that this POD must communicate with.
Remediation: Define a network policy that restricts ingress and egress connections.
| spec: | ||
| containers: | ||
| - name: nginx1 | ||
| image: nginx |
There was a problem hiding this comment.
C-0055 Linux hardening:
Containers may be given more privileges than they actually need. This can increase the potential impact of a container compromise.
Remediation: You can use AppArmor, Seccomp, SELinux and Linux Capabilities mechanisms to restrict containers abilities to utilize unwanted privileges.
| image: nginx | |
| image: nginx | |
| securityContext: | |
| seccompProfile: YOUR_VALUE |
| image: nginx | |
| image: nginx | |
| securityContext: | |
| seLinuxOptions: YOUR_VALUE |
| image: nginx | |
| image: nginx | |
| securityContext: | |
| capabilities: | |
| drop: | |
| - YOUR_VALUE |
| kind: Pod | ||
| metadata: | ||
| name: test | ||
| spec: |
There was a problem hiding this comment.
📝 [kubescape] reported by reviewdog 🐶
C-0077 K8s common labels usage:
Kubernetes common labels help manage and monitor Kubernetes cluster using different tools such as kubectl, dashboard and others in an interoperable way. Refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/ for more information. This control helps you find objects that don't have any of these labels defined.
Remediation: Define applicable labels or use the exception mechanism to prevent further notifications.
| spec: | |
| labels: YOUR_VALUE | |
| spec: |
No description provided.